Re: [Vol-users] Huge PID in psxview

Steve, It looks like the process was found by analyzing desktop threads (True in the far right column) and then following that lead to the thread's owning process. Its possible that an application created a desktop (i.e. CreateDesktop), started a new process attached to that desktop (the STARTUPINFO.lpDesktop parameter passed to CreateProcess) or "manually" attached an existing thread (SetThreadDesktop). At some point before you acquired memory, the thread(s) terminated and the desktop was removed by the application by calling CloseDesktop. That is one possible theory to keep in mind (its not necessarily a rogue process). I would try running the deskscan plugin to see some details on the desktop object in question. You can also use volshell and the dt() command to show the other _EPROCESS fiels for the structure at 0x6da39918. MHL On Sat, Mar 16, 2013 at 1:37 PM, <shorejsi2(a)mmm.com> wrote: _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users