[Vol-users] Mucho processes
7 Jun
2013
7 Jun
'13
12:04 p.m.
Background: The user logged off (I know, I know) of the system (WinXP) and
the first responder logged back in under a different user and took the
memory dump.
When running pslist against the memory dump there're 2,423 entries. I'm
seeing a lot of entries where the process starts and exits - sometimes in a
row:
0x89b3f868 userinit.exe 3808 548 0 -------- 0 0
2013-05-26 10:00:10 UTC+0000 2013-05-26 10:00:10 UTC+0000
0x89b89ad0 userinit.exe 3156 548 0 -------- 0 0
2013-05-26 10:00:28 UTC+0000 2013-05-26 10:00:28 UTC+0000
0x89b2a868 userinit.exe 3672 548 0 -------- 0 0
2013-05-26 11:30:11 UTC+0000 2013-05-26 11:30:11 UTC+0000
0x89afc020 userinit.exe 3388 548 0 -------- 0 0
2013-05-26 12:41:44 UTC+0000 2013-05-26 12:41:44 UTC+0000
0x89b49da0 userinit.exe 1336 548 0 -------- 0 0
2013-05-26 13:22:13 UTC+0000 2013-05-26 13:22:13 UTC+0000
and sometimes more spread out:
0x89c1da98 java.exe 4536 1368 0 -------- 0 0
2013-06-01 01:23:35 UTC+0000 2013-06-01 01:26:15 UTC+0000
0x89141020 cscript.exe 8608 4536 0 -------- 0 0
2013-06-01 01:24:12 UTC+0000 2013-06-01 01:24:14 UTC+0000
0x89142da0 wmiprvse.exe 3152 832 0 -------- 0 0
2013-06-01 01:24:12 UTC+0000 2013-06-01 01:25:42 UTC+0000
0x89144ac0 minituner.exe 1120 1368 0 -------- 0 0
2013-06-01 01:26:15 UTC+0000 2013-06-01 01:37:41 UTC+0000
0x8934d520 java.exe 9148 1368 0 -------- 0 0
2013-06-01 01:37:41 UTC+0000 2013-06-01 01:43:54 UTC+0000
0x8934e020 cscript.exe 7620 9148 0 -------- 0 0
2013-06-01 01:42:51 UTC+0000 2013-06-01 01:42:53 UTC+0000
0x895423b8 wmiprvse.exe 3664 832 0 -------- 0 0
2013-06-01 01:42:51 UTC+0000 2013-06-01 01:44:21 UTC+0000
0x895ce8a0 minituner.exe 9940 1368 0 -------- 0 0
2013-06-01 01:43:54 UTC+0000 2013-06-01 01:51:47 UTC+0000
0x893a3838 java.exe 4572 1368 0 -------- 0 0
2013-06-01 01:51:47 UTC+0000 2013-06-01 01:59:58 UTC+0000
Example of top processes by overall count of occurrence:
$ cat pslist.txt | awk '{print $2}' | sort | uniq -c | sort -nr
364 java.exe
362 minituner.exe
335 userinit.exe
301 wmiprvse.exe
219 cscript.exe
192 verclsid.exe
91 wuauclt.exe
37 regsvr32.exe
34 winlogon.exe
34 csrss.exe
[snip]
I've never come across this before so I'm wondering if this could be
attributed to the first responder not letting the system fully log them on
prior to taking the memory dump and therefore there was a lot of still
loading processes observed?
--
Glenn Edwards
@hiddenillusion
Attachments:
- attachment.html (text/html — 3.4 KB)