Working with Processes and Services Flashcards
What is the basic command for displaying all running processes?
Get-Process
What Get-Process parameter is used for filtering process by their name?
Get-Process -Name {process_name}
Get-Process -Name "notepad"
What Get-Process parameter is used for retrieving the process with a specific process ID (PID)?
Get-Process -Id {PID}
Get-Process -Id 31132
What Get-Process parameter is used to include the user that runs the service?
Get-Process -IncludeUsername {username}
What Get-Process parameter is used for
You have an IP address of 34.120.241.214 that you find suspicious so you would like to determine which process communicates to that IP address. How would you do it?
C:\Windows\System32>netstat -ano | findstr 34.120.241.214 TCP 10.43.43.1:55549 34.120.241.214:443 ESTABLISHED 9304 C:\Windows\System32>tasklist | findstr 9304 Evernote.exe 9304 Console 2 21,900 K
in CMD
What is the very useful CMD command used to display a list of currently running tasks, including services and processes?
tasklist
Does tasklist require administrative privileges?
no, it does not typically require administrative privileges to run, making it accessible for general users
How to display status for the eventlog service in CMD?
C:\Windows\System32>sc query eventlog
SERVICE_NAME: eventlog
TYPE : 30 WIN32
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0Which command is used in PowerShell to provide a list of services?
Get-Service
How to use tasklist to display only running processes?
tasklist /FI "STATUS eq running"
How to export a table of running processes to CSV file in CMD?
tasklist /FI "STATUS eq running" /FO CSV > C:\Users\jan\Desktop\running_tasks.csv
How to display all tasks that have DLL modules loaded in them with tasklist?
tasklist /M
How to use tasklist to determine which services are running under which instances of svchost.exe and other host processes?
tasklist /svc
How to display detailed information about the listed tasks, including the session number, session name, memory usage, etc. with tasklist?
tasklist /V
What is the Window Title column in the output of the tasklist /V command?
- title of the window associated with each process, if applicable
- particularly relevant for processes that have a user interface with a visible window
- when a process has a graphical user interface (GUI) with an open window, the “Window Title” column shows the title of that window
the window title might be the name of the opened Word document
How to check which processes are running with elevated privileges in Windows?
Task Manager > Details > right click on a column > Select Columns > Elevated
How to filer out lines that have “N/A” value in the Window Title in tasklist /v command?
tasklist /V | findstr /V /C:"N/A"
<br></br>
* tasklist /V generates the verbose list of tasks.
* | pipes the output of tasklist to findstr.
* findstr /V is used to print only lines that do not contain the specified string.
* /C:”N/A” specifies the string to exclude, in this case, “N/A”.
What is the purpose of the Session Name column in the tasklist output?
provide information about the type of session in which a process is running
If the value of the Session Name column is Services for a process, what does it mean?
- process is running in Session 0, which is reserved for system services and other non-interactive processes
- typically system-level processes, background services, and drivers that do not interact directly with the user interfac
If the value of the Session Name column is Console for a process, what does it mean?
interactive user session - indicates that the process is part of a user session, where it can interact with the user interface and the logged-in user can interact with the process
How to display all running process and their process name, process ID, the user running the process, when the process started, and the path of the executable file sorted by the start time?
Get-Process -IncludeUserName | Select-Object Name, ID, UserName, StartTime, Path | Sort-Object StartTime
