PE

(ProcExp: Process Explorer)

{ Viewing Parent and Child Processes }

---

0. Background Information

1. http://technet.microsoft.com/en-us/sysinternals/bb896653
   • The Process Explorer display consists of two sub-windows.
   
   
   • The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.
   
   
   • Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
   
   
   • The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. 

1. Prerequisite

1. Login to your Instructor VM, as username Administrator
   • For those of you that are not part of this class, this is a Windows XP machines.
2. From your Instructor VM, open your Windows Explorer Web Browser.
   • Paste in the below link into your web browser.
   • http://download.sysinternals.com/Files/ProcessExplorer.zip
3. Click Save
   • 
4. Save to C:\tools\ProcExp
   • 
5. Select Open Folder
   • 
6. Right Click on ProcessExplorer, Extract All
   • 
7. Click Next
   • 
8. Click Next
   • 
9. Click Finished
   • 

2. Running ProcessExplorer

1. Navigate to C:\tools\ProcExp\ProcessExplorer
   • Double Click on procexp.exe
   • 
2. Click Run
   • 
3. Click Agree
   • 
4. Next you will see a screen that looks very similar to the below.
   • 
5. Notice the Parent / Child Process Tree Structure
   • 

3. Viewing Process Properties

1. Scroll Down to lsass.exe
   • Right click on lsass.exe
   • Click on Properties
   • 
2. As you can see lsass.exe is responsible for Net Login
   • From the Services tab, you have the ability to:
     • Stop, Restart and Pause the Process
     • Also you can see who has Permission to Full Control, Read, and Write.
   • Click on Permissions Button.
   • 
3. For each user
   • Make sure only the Administrator User have Full Control, Read, and Write Permission.
   • All other user should only have Read Access, and perhaps special permissions.
   • Goal: We are verifying that only the administrator users have Full Control.
   • 

5. Creating a dump

1. Highlight lsass.exe
   • Right Click on lsass.exe --> Create Dump --> Create Full Dump
   • 
2. Navigate to C:\tools\ProcExp\ProcessExplorer (See Below)
   • Save File as lsass-YYYYMMDD.dmp, where YYYYMMDD is a date field.
   • 
3. Using Windows Explorer, Navigate to C:\tools\ProcExp\ProcessExplorer
   • Proof of Lab: Highlight lsass-YYYYMMDD.dmp, Do a screen print, Paste into word doc, Upload to Moodle.
   • 
4. Special Note (Not required for this lab), for dumping all memory processes.
   • You would highlight System --> Create Dump --> Create Full Dump
   • From a forensics point of view, you would want to capture everything.
   • 

Proof of Lab

1. Cut and Paste a screen shot that looks similar to Step #3 in Section 5 into a word document and upload to Moodle.