Introduction
The Article Understanding Windows Process Stack using Process Monitor is Part 3 of the below Series:
How to use Process Monitor(ProcMon) – Part 1
Understanding Disk Activity using Process Monitor -Part 2
In this article we will be looking inside the Windows Process Stack and how we are able to see the Application on the screen after you open it with a mouse click using the Process Monitor Tool (ProcMon). Windows Subsystem is a Combination of User Mode and Kernel Mode Drivers and APIs which help any application to open up. Since every application requires the help of its own files as well as the Windows DLLs to open up
If you are new to this page I will recommend you to first visit: Understanding Windows Process Layer using Process Monitor (ProcMon) – Part 1
If you want to know more about User and Kernel Mode Processes please refer to Kernel Mode vs. User Mode
Now as a small introduction, any application like notepad or word will have its own user-mode processes that will be taking help of Kernel more processes in order to access the CPU, Memory or any devices that you have associated. This is done in the form of API Calls.
If you want to read more about kernel you can go through the Wiki Page: Kernel
Now let’s understand this process flow in more details using the setup below:
- We will start with a screen which looks like this.
2. Now we will start our test by starting the capture and typing Notepad.exe on the Command prompt:
3. Once you see the Notepad on the screen you can simply go ahead and stop the capture, using the same button as shown as 1 in the above image.
Dissection of the Screen:
Time of Day: The time when it captured the information.
Process Name: Name of the Process.
PID: Process ID
Operation: What operation this process have performed.
Path: Path where the operation is performed.
Now since we know what are we looking at, we can start looking for the process from where we have initiated the requested to open Notepad i.e Command Prompt (Cmd.exe)
You can also start your search by removing some of the unwanted information from the screen, this can be done by right-clicking on the process Name and select Exclude <Process Name>.
Now in my case, I am excluding Explorer as I have started notepad from Command Line and there is no use of Explorer. Since we have a very small capture you will be able to see the below rows, where CMD.exe has executed: C:\Users\Administrator>notepad.exe
Once this is passed you can start seeing the traces of CMD.EXE creating a Process with the Name Notepad.exe and Once the Process is created it had executed it with a Unique Process ID 14856.
Now, this is the scenario where you know we have used CMD in order to open Notepad, But what if we are not sure and we need to find the process ID which is responsible for this Process.
To do this you can right-click on the Row where you are seeing and select “Select Column“
Here you can select Parent PID and click Ok:
Once this is done, you can easily see that Notepad.exe is started by CMD as the Parent PID of Notepad.exe is similar to the PID of CMD.
Now to understand the process Stack, we open CMD what process and DLLs windows will call, we can simply right click on the CMD.exe and Click Stack
This will open up the Stack which is used in order to open CMD.exe or to do its processes.
This stack generally looks like this:
Now you will notice that most of all the windows process stack is going to start from ntoskernel and then transition to ntdl.dll and later Kernelbase.dll.
This is because:
ntoskernel :
is known as Executive/Kernel. This is the Backbone of an Operating System and it running in the Kernel Mode.
It is also known as kernel image, provides the kernel and executive layers of the Microsoft Windows NT kernel space, and is responsible for various system services such as hardware abstraction, process and memory management, thus making it a fundamental part of the system.
NTDLL.DLL :
The first group of functions provides the interface to the Windows executive system services that can be called from user mode. There are more than 400 such functions, such as NtCreateFile, NtSetEvent, and so on. As noted earlier, most of the capabilities of these functions are accessible through the Windows API.
With the help of these two DLLs, we are able to open Command Prompt.
Please feel free to drop your queries if you have any regarding Windows process Stack