Jump to content
Forum²

Recommended Posts

Posted

Hi,

 

In regard to this blog:

 

http://blogs.technet.com/b/thenetworker/archive/2007/12/09/of-file-access-from-the-command-prompt-and-trace-analysis.aspx

 

Did some simultaneous wireshark and Sysinternals process monitor logging and now have an issue with identifing an image path or file/process name associated with the SMB process ID [ Process ID: 65279 ].

 

Process ID: [ 65279 ] value from the SMB packet header.

 

Sysinternals process monitor does not reveal any activity related to that PID. Nor does the Windows task manager.

 

But, wireshark log does show request being sent on behalf of the PID 65279.

 

Reading this KB article [ http://support.microsoft.com/kb/935741/en-us ], I see the PID might be related to a kernel level process.

 

Also, have been unable to find any relevant information here either

 

[ http://msdn.microsoft.com/en-us/library/ee442092%28PROT.10%29.aspx ]

 

So, my question boils down to this: how can I identify an exe file and its location, if any, associated with the PID in question?

 

Thanks.

Posted

Hi,

 

The most probable thing is that PID 65279 is create as a child of a another process, if so, ProcessMonitor cannot identify it. There's a parent object (physical exe) which creates a new child object (but this time "temporary"). This is just my thought, I could be wrong.

--------------------------------------------------------

Tu peux aussi crire en franais.

Du kannst auch auf Deutsch schreiben.

Puoi scrivere anche in italiano.

--------------------------------------------------------

Posted

Hi,

 

The most probable thing is that PID 65279 is create as a child of a another process, if so, ProcessMonitor cannot identify it. There's a parent object (physical exe) which creates a new child object (but this time "temporary"). This is just my thought, I could be wrong.

 

Thanks for the interest.

 

Actually, the procmon log retains the whole process tree throughout the trace.

 

Anyway, any further insight on the image path identification itself?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...