[Vol-users] Mucho processes

Glenn Edwards hiddenillusion at gmail.com
Fri Jun 7 11:04:03 CDT 2013


Background: The user logged off (I know, I know) of the system (WinXP) and
the first responder logged back in under a different user and took the
memory dump.

When running pslist against the memory dump there're 2,423 entries.  I'm
seeing a lot of entries where the process starts and exits - sometimes in a
row:

0x89b3f868 userinit.exe           3808    548      0 --------      0      0
2013-05-26 10:00:10 UTC+0000   2013-05-26 10:00:10 UTC+0000
0x89b89ad0 userinit.exe           3156    548      0 --------      0      0
2013-05-26 10:00:28 UTC+0000   2013-05-26 10:00:28 UTC+0000
0x89b2a868 userinit.exe           3672    548      0 --------      0      0
2013-05-26 11:30:11 UTC+0000   2013-05-26 11:30:11 UTC+0000
0x89afc020 userinit.exe           3388    548      0 --------      0      0
2013-05-26 12:41:44 UTC+0000   2013-05-26 12:41:44 UTC+0000
0x89b49da0 userinit.exe           1336    548      0 --------      0      0
2013-05-26 13:22:13 UTC+0000   2013-05-26 13:22:13 UTC+0000

and sometimes more spread out:

0x89c1da98 java.exe               4536   1368      0 --------      0      0
2013-06-01 01:23:35 UTC+0000   2013-06-01 01:26:15 UTC+0000
0x89141020 cscript.exe            8608   4536      0 --------      0      0
2013-06-01 01:24:12 UTC+0000   2013-06-01 01:24:14 UTC+0000
0x89142da0 wmiprvse.exe           3152    832      0 --------      0      0
2013-06-01 01:24:12 UTC+0000   2013-06-01 01:25:42 UTC+0000
0x89144ac0 minituner.exe          1120   1368      0 --------      0      0
2013-06-01 01:26:15 UTC+0000   2013-06-01 01:37:41 UTC+0000
0x8934d520 java.exe               9148   1368      0 --------      0      0
2013-06-01 01:37:41 UTC+0000   2013-06-01 01:43:54 UTC+0000
0x8934e020 cscript.exe            7620   9148      0 --------      0      0
2013-06-01 01:42:51 UTC+0000   2013-06-01 01:42:53 UTC+0000
0x895423b8 wmiprvse.exe           3664    832      0 --------      0      0
2013-06-01 01:42:51 UTC+0000   2013-06-01 01:44:21 UTC+0000
0x895ce8a0 minituner.exe          9940   1368      0 --------      0      0
2013-06-01 01:43:54 UTC+0000   2013-06-01 01:51:47 UTC+0000
0x893a3838 java.exe               4572   1368      0 --------      0      0
2013-06-01 01:51:47 UTC+0000   2013-06-01 01:59:58 UTC+0000

Example of top processes by overall count of occurrence:

$ cat pslist.txt | awk '{print $2}' | sort | uniq -c | sort -nr
    364 java.exe
    362 minituner.exe
    335 userinit.exe
    301 wmiprvse.exe
    219 cscript.exe
    192 verclsid.exe
     91 wuauclt.exe
     37 regsvr32.exe
     34 winlogon.exe
     34 csrss.exe
[snip]


I've never come across this before so I'm wondering if this could be
attributed to the first responder not letting the system fully log them on
prior to taking the memory dump and therefore there was a lot of still
loading processes observed?

-- 
Glenn Edwards
@hiddenillusion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130607/53eff3e0/attachment.html


More information about the Vol-users mailing list