win209

Thanks for the interest. Actually, the procmon log retains the whole process tree throughout the trace. Anyway, any further insight on the image path identification itself?

Hi, In regard to this blog: http://blogs.technet.com/b/thenetworker/archive/2007/12/09/of-file-access-from-the-command-prompt-and-trace-analysis.aspx Did some simultaneous wireshark and Sysinternals process monitor logging and now have an issue with identifing an image path or file/process name associated with the SMB process ID [ Process ID: 65279 ]. Process ID: [ 65279 ] value from the SMB packet header. Sysinternals process monitor does not reveal any activity related to that PID. Nor does the Windows task manager. But, wireshark log does show request being sent on behalf of the PID 65279. Reading this KB article [ http://support.microsoft.com/kb/935741/en-us ], I see the PID might be related to a kernel level process. Also, have been unable to find any relevant information here either [ http://msdn.microsoft.com/en-us/library/ee442092%28PROT.10%29.aspx ] So, my question boils down to this: how can I identify an exe file and its location, if any, associated with the PID in question? Thanks.