process獲取父程序

Windows provides different tools to list and get information about processes. The task manager can be used to list and manage the process. But task manager has limited capabilities. So if we are a pentester or system administrator who lives in deep water we can use process explorer for more functionality.

Windows提供了不同的工具來列出和獲取有關程序的資訊。 工作管理員可用於列出和管理過程。 但是工作管理員功能有限。 因此，如果我們是生活在深水中的五分之一或系統管理員，則可以使用流程資源管理器以獲得更多功能。

下載Windows Process Explorer (Download Windows Process Explorer)

Process explorer is provided as Sysinternal utilities and downloaded from following link as zipped file.

Process Explorer作為Sysinternal實用程式提供，並從以下連結下載為壓縮檔案。

https://download.sysinternals.com/files/ProcessExplorer.zip

https://download.sysinternals.com/files/ProcessExplorer.zip

In order to run process explorer we just need to select the architecture and click executable. There is no need to install.

為了執行Process Explorer，我們只需要選擇架構並單擊可執行檔案即可。 無需安裝。

流程瀏覽器幫助 (Process Explorer Help)

As we can see in the previous screenshot process explorer comes with a help file in chm format. We can get detailed help about the process explorer from this help document.

正如我們在上一個螢幕截圖中所看到的，資源管理器附帶了一個chm格式的幫助檔案。 我們可以從該幫助文件中獲得有關流程瀏覽器的詳細幫助。

使用流程瀏覽器列出流程 (List Processes with Process Explorer)

We can get process list and their detailed information just clicking to the process explorer file.

我們只需單擊流程資源管理器檔案即可獲取流程列表及其詳細資訊。

Process are listed according to their parent and child relationship. Process listed as a sub row are child of the upper process. Following information about processes can be seen from this page.

程序是根據其父子關係列出的。 列為子行的流程是上層流程的子級。 從該頁面可以看到有關流程的以下資訊。

• CPUcolumns shows general CPU usage percentage of this process.

  CPU列顯示此過程的常規CPU使用率百分比。

• Private Bytescolumns show the size of memory only used by this process and not shared with other processes and DLL’s.

  Private Bytes列顯示僅由該程序使用，而不與其他程序和DLL共享的記憶體大小。

• PIDcolumn shows process identifier given by operating system and used to easily identify the process.

  PID列顯示作業系統提供的程序識別符號，用於輕鬆識別程序。

• Descriptioncolumns shows the process information.

  Description列顯示過程資訊。

• Company Namecolumns shows the executable file and application vendor company.

  Company Name列顯示可執行檔案和應用程式供應商公司。

列出詳細的過程資訊 (List Detailed Process Information)

More detailed process information can be shown with the properties of the the selected process. Just right click on the process and select Properties. This will open a window like below.

可以顯示更多詳細的過程資訊以及所選過程的屬性。 只需右鍵單擊該過程，然後選擇“ Properties 。 這將開啟如下所示的視窗。

We can see that there are a lot of tabs those provides related information. By default threads tab is opened and list existing threads of the current process which their Thread ID.

我們可以看到有很多提供相關資訊的標籤。 預設情況下，“執行緒”選項卡處於開啟狀態，並列出當前程序的現有執行緒及其“執行緒ID”。

Following information can be get with other tabs.

以下資訊可通過其他選項卡獲得。

• TCP/IPtab provides the network ports and remote connections about this process.

  TCP/IP選項卡提供有關此過程的網路埠和遠端連線。

• Securitytab provides owner, group and other related security information

  Security選項卡提供了所有者，組和其他相關的安全性資訊

• Environment tab provides information about the process environment variables like OS, PATH, HOMEPATH etc.

  Environment選項卡提供有關過程環境變數的資訊，例如OS，PATH，HOMEPATH等。

• Strings tab provides the identified strings in this process memory area.

  Strings選項卡在此過程儲存區中提供了已識別的字串。

• Image tab provides executable file path related information

  Image選項卡提供可執行檔案路徑的相關資訊

• Performance tab provides CPU, I/O, Memory related statistics and information

  Performance選項卡提供CPU，I / O，與記憶體相關的統計資訊和資訊

• Performance Graph tab shows simple CPU, Memory and I/O graphs about process

  Performance Graph選項卡顯示有關程序的簡單CPU，記憶體和I / O圖

• Threads tab shows related threads and their thread ID’s

  Threads選項卡顯示相關執行緒及其執行緒ID

使用Process Explorer終止程序 (Kill Process with Process Explorer)

Another useful feature of the process explorer is killing selected process. This can be done right click to the related process and select Kill Processfrom the menu. We can also select process and use DELETEkey to do same operation.

程序瀏覽器的另一個有用功能是殺死選定的程序。 可以右鍵單擊相關過程，然後從選單中選擇Kill Process 。 我們也可以選擇程序並使用DELETE鍵執行相同的操作。

使用Process Explorer殺死程序樹(Kill Process Tree with Process Explorer)

In previous step we just killed a single process. We can also kill the process tree. Process tree is the parent process and its child process. This will also kill the child processes too.

在上一步中，我們只是殺死了一個程序。 我們還可以殺死程序樹。 程序樹是父程序及其子程序。 這也將殺死子程序。

檢查病毒總數中的程序和可執行安全性(Check Process and Executable Security In Virus Total)

There is very useful feature which is security related. We can check the executable file and running processes against VirusTotal. Virtual Total is a services provides more than 50 antivirus applications to check uploaded executable files. This virus check will made us more secure. We can apply this check to suspicious process easily like below.

有一個非常有用的功能，與安全性有關。 我們可以根據Virus Total檢查可執行檔案和正在執行的程序。 Virtual Total是一項提供50多種防病毒應用程式以檢查上傳的可執行檔案的服務。 此病毒檢查將使我們更加安全。 我們可以輕鬆地將此檢查應用於可疑過程，如下所示。

翻譯自: https://www.poftut.com/windows-process-explorer-get-detailed-information-processes/

process獲取父程序