Hard Disks and File Systems ProcessMonitor Lab

This is the Process Monitor lab.  Process Monitor is an excellent program for assessing processing and determining what is happening that the system sees. You’ll learn how to assess registry process an all their information to see what a process is actually doing.  You’ll also learn what it’s actually referencing and volume of other cross-referenced data in terms for a given process in real time. [toggle_content title="Transcript"] Hey, Leo Dregier here. I want to talk to you about Process Monitor. This is 100 percent a tool that I couldn’t live without, in, uh, my sheep dip computer machines, right? All my testing, uh, machines that I use. It’s a great program, comes from Sysinternals. Um, just to kind of give you a highlight – it’s got times, it’s got the process names, the process ID with the processor, what it’s actually doing, like Registry queries, a lot of Registry stuff you’ll see, the path in the Registry, the result of that path, um, and some details like, you know, queries or desired access, you know, reads and writes and things like that. Um, so that’s kind of like the overview of the columns. Let’s look at a specific – the properties of something specific like Explorer.exe. Now, you can cross reference this information with Task Manager, so I want to kind of cross reference a few things. In Processes, or actually Performance, you can see, um, threads, handles, processes, up-times, and this is all of, like, the high-level overview processor permission that we don’t normally get to look at in detail. What is the actual processes? What are the actual threads, and what are the actual handles? Well, in Process Monitor, you can go to the Stack, and you can actually see those. You can see what handles and what files are being referenced; what they actually do in the location, and then the memory addresses that they correspond to, um, and, of course, you know, the, the full path of the file if you mostly wanted to know where, where this sits. You probably find here with the top three rows. Um, so nonetheless you get the cross reference, um, the handles, threads, and process, and actually get to dig down and see this: 99.9999 percent of the time, this is system admin. If you’re ever doing anything performance related, you care about this right here and starting and stopping things. Well, in the forensics world, you need to flip that coin and you need to look over here, and you need to see what things are doing and how things are behaving forensically. These are the fingerprints that are changing on your system, um, when you system is actually processing, okay? So I think it’s cool that you can actually see that and compare those two values right here, both in the network point of view, or, I’m sorry, system admin point of view versus the forensic point of view. I mean here you are looking at two screens of two different worlds, so if you’re trying to make that transition between hey, I’m a system admin, and I understand things from a system admin point of view. Well, what is the forensics person – what’s their point of view? Well, that’s the cross referencing. These are the two sides of the conversation that now meet. So I hope you enjoyed the lab. Um, if you like these videos, share them, connect – remember there’s real people behind here, not just computers and videos. So connect with other people, share, Tweet, and give it your best. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?