Michael;

 Your initial reaction was correct; it's a phantom. a look at the output from timeliner shows that msdtc.exe started well after explorer.exe. The matching PID was just a weird accident:

...
2014-02-17 11:38:17 UTC+0000        [PROCESS]        dwm.exe        5360        1080
2014-02-17 11:38:18 UTC+0000        [PROCESS]        explorer.exe        5400        5332
2014-02-17 11:38:20 UTC+0000        [PROCESS]        iPlatformHost.        5552        2360
...

2014-02-17 11:39:06 UTC+0000        [PROCESS]        dllhost.exe        4992        692
2014-02-17 11:39:08 UTC+0000        [PROCESS]        msdtc.exe        5332        692
2014-02-17 11:39:13 UTC+0000        [PROCESS]        BTHSAmpPalServ        6276        692
2014-02-17 11:39:17 UTC+0000        [PROCESS]        BTHSSecurityMg        6488        692

 So the moral becomes (as it always is...) beware shiny objects...

 Thank You!


                        -=[ Steve ]=-



From:        Michael Ligh <michael.ligh@mnin.org>
To:        shorejsi2@mmm.com
Cc:        vol-users@volatilityfoundation.org
Date:        03/01/2014 09:49 AM
Subject:        Re: [Vol-users] Chasing evil or my tail?

---

Looks pretty strange to me. Is that the only explorer.exe running or is there another one? Even if its parent is or isn't present, it shouldn't be a grandchild of services.exe--that is also odd. Based on the way pstree works, there's a small change userinit.exe could have been pid 5332 and then the pids cycled around until msdtc.exe eventually got pid 5332 also. That would produce an effect like you're seeing, but the chance of userinit.exe getting pid 5332 when it starts so early in the boot sequence is rather low.

--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
Training: http://memoryanalysis.net

On Feb 28, 2014, at 9:33 AM, shorejsi2@mmm.com wrote:

> Working on a system that has been beaconing out to bad places and noticed this in the 'pstree' output (abbreviated):
>
> Name                                                  Pid   PPid
> -------------------------------------------------- ------ ------
>  0x894ca030:csrss.exe                                 580    484 ...
>  0x8f25b5b0:wininit.exe                               632    484 ...
> . 0x8f379d40:services.exe                             692    632 ...
> .. 0xb12484c0:FireSvc.exe                            2064    692 ...
> .. 0xaecc6d40:svchost.exe                            3332    692 ...
>         ...
> .. 0xb3eeb030:svchost.exe                            3780    692 ...
> .. 0x85e518e8:msdtc.exe                              5332    692 ...
> ... 0x82651d40:explorer.exe                          5400   5332 ...
> .... 0x85dcc3b0:pmcs.exe                             1608   5400 ...
> .... 0x85dc9240:EpePcMonitor.e                       6108   5400 ...
> .... 0x85c92030:BTTray.exe                           4744   5400 ...
> .... 0x8652c928:iexplore.exe                         7028   5400 ...
> ..... 0x86721030:iexplore.exe                        7364   7028 ...
> ...... 0x866f2030:jp2launcher.ex                     5356   7364 ...
> ....... 0x8678c408:java.exe                          7700   5356 ...
>         ...
> Is it just me or is msdtc.exe a very odd parent for explorer.exe?  I would normally expect userinit.exe to start explorer and then exit, leaving it with no visible parent.
>
> Any input appreciated...
>
>
>                         -=[ Steve ]=-
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

[attachment "signature.asc" deleted by Steve Horejsi/US-Corp02/3M/US]