The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
Please vote in the Forum Structure Poll. Polling will close at 2PM EST on January 21, 2025.
Listing all PIDs under winXP?
TetraNitroCubane
Not Angry...Just VERY Disappointed...Registered User regular
Not Angry...Just VERY Disappointed...Registered User regular
Hello again H/A - I've yet another odd computer question for you all, if it can be tolerated.
This morning my computer seemed to be chugging along through startup more than usual (running XP). I became a bit curious, so I popped open Process Manager (the one from sysinternals, not the task manager), and took a look. Nothing in there was out of the ordinary from what I could tell, but my net connection was behaving oddly too. Long story short, I ran netstat in a command window, and found an open connection I wasn't aware of. It said something to the effect of "project.tetratech.com:8888 FIN_WAIT 2828" - I'm not sure about the port at this point, but that's the actual address it came up with. Also, that PID was listed at the end was nowhere in either the task manager or the Process Manager. I ran F-secure blacklight and Rootkit revealer, and both came up with no odd results whatsoever. Nevertheless I'm very concerned that a process I can't find or identify has a connection open to a server I don't recognize.
So, the point: Is there any way for me to get a full list of all PID numbers assigned on my machine at any given time? Process Manager and task manager seem to have missed this one. Thanks.
This morning my computer seemed to be chugging along through startup more than usual (running XP). I became a bit curious, so I popped open Process Manager (the one from sysinternals, not the task manager), and took a look. Nothing in there was out of the ordinary from what I could tell, but my net connection was behaving oddly too. Long story short, I ran netstat in a command window, and found an open connection I wasn't aware of. It said something to the effect of "project.tetratech.com:8888 FIN_WAIT 2828" - I'm not sure about the port at this point, but that's the actual address it came up with. Also, that PID was listed at the end was nowhere in either the task manager or the Process Manager. I ran F-secure blacklight and Rootkit revealer, and both came up with no odd results whatsoever. Nevertheless I'm very concerned that a process I can't find or identify has a connection open to a server I don't recognize.
So, the point: Is there any way for me to get a full list of all PID numbers assigned on my machine at any given time? Process Manager and task manager seem to have missed this one. Thanks.
TetraNitroCubane on
0
Posts
http://www.thelostworlds.net/
Install it, run it, and run this cmdlet: Get-Process
It will spit out a list of all running processes, their handles, their memory use, their CPU time, PID, and name.
[edit] Also, I wasn't aware netstat would give you a PID. I know the -b switch will tell you what application is responsible for the traffic though.
I've not been able to observe that open connection again, or the process associated with it, but I'm keeping an eye out. Is it safe to assume that a PID I can't identify is likely to be something malicious / hidden?
As far as I know, yes, there is no time when you should not be able to account for all Process ID's. If you have a PID but can't find a process name it corresponds to, that could be rootkit behavior. A rootkit might hook the kernel API NtQuerySystemInformation with a rudimentary technique known as SSDT hooking, and maybe this would allow you to see a PID but never be able to pull up the process in a process list. Try a detector tool from antirootkit.com.
I wrote some (Windows-specific) C++ code to take a PID and return a process name:
// Get Name by PID.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include <string> #include <iostream> #include <windows.h> #include <psapi.h> #pragma comment (lib, "psapi.lib") // link with Microsoft Process API lib using namespace std; bool GetProcessNameById(int PID, wstring& name); int _tmain(int argc, _TCHAR* argv[]) { if(argc < 2) { wcout << L"Usage: \"Get Name by PID.exe\" [Process ID]" << endl; return 1; } wstring processName; if(GetProcessNameById(_ttoi(argv[1]), processName)) wcout << L"Process with PID: " << argv[1] << L" has the name: " << processName << endl; else wcout << L"Could not find a process with that PID." << endl; return 0; } bool GetProcessNameById(int PID, wstring& name) { HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, PID); if(hProc) { LPTSTR pName = new _TCHAR[256]; GetProcessImageFileName(hProc, pName, 256); name = wstring(pName); delete[] pName; CloseHandle(hProc); return true; } else return false; }