viewer9 documentation

ProcessCreate PML Operation

This operation occurs in the parent process shortly before the ProcessStart event occurs in the newly created child process.

NewPid ("PID" in Procmon) is the pid of the process being created, as distinguished from the Pid of the event (the parent process).

CreatedTime is not displayed in Procmon, but it is the timestamp supplied in the binary data at evdata[24] (see PML Binary Data and Results Offsets). It is generally shortly before the Time of this event.

Example from 64-bit PML

Hover over field values like Time, ResultCode, CreatedTime, and bytes of evdata in this example to see tooltips as they appear in viewer9. The tooltip of the first byte of a color patch tells the field name.

ProcessCreate opcode=1,1

ev=31589

Time:2022-05-17 19:41:48.3374482
Duration:0.0000000
ResultCode:SUCCESS
Tid:8208
Path:C:\WINDOWS\system32\consent.exe
CmdLine:consent.exe 8400 1066 0000024884624C60
CreatedTime:2022-05-17 19:41:48.3374464
NewPid:2264

evdata[0-215] file offset 17353305

010 01 00 00 d8 08 00 00 ........
80b 01 00 00 d0 20 00 00 ..... ..
1601 00 00 00 01 00 00 00 ........
2480 83 e5 ac 47 6a d8 01 ....Gj..
32e7 03 00 00 00 00 00 00 ........
4000 00 00 00 0c 0c 1f 00 ........
4826 00 ff 37 01 01 00 00 &..7....
5600 00 00 05 12 00 00 00 ........
6401 01 00 00 00 00 00 10 ........
7200 40 00 00 43 00 3a 00 .@..C.:.
805c 00 57 00 49 00 4e 00 \.W.I.N.
8844 00 4f 00 57 00 53 00 D.O.W.S.
965c 00 73 00 79 00 73 00 \.s.y.s.
10474 00 65 00 6d 00 33 00 t.e.m.3.
11232 00 5c 00 63 00 6f 00 2.\.c.o.
1206e 00 73 00 65 00 6e 00 n.s.e.n.
12874 00 2e 00 65 00 78 00 t...e.x.
13665 00 63 00 6f 00 6e 00 e.c.o.n.
14473 00 65 00 6e 00 74 00 s.e.n.t.
1522e 00 65 00 78 00 65 00 ..e.x.e.
16020 00 38 00 34 00 30 00 .8.4.0.
16830 00 20 00 31 00 30 00 0. .1.0.
17636 00 36 00 20 00 30 00 6.6. .0.
18430 00 30 00 30 00 30 00 0.0.0.0.
19232 00 34 00 38 00 38 00 2.4.8.8.
20034 00 36 00 32 00 34 00 4.6.2.4.
20843 00 36 00 30 00 00 00 C.6.0...

Call Stack stacksize=26

StackAddressmodModNameModPath
0xfffff80438037a8f174ntoskrnl.exe + 0x637a8fC:\WINDOWS\system32\ntoskrnl.exe
0xfffff804380f3812174ntoskrnl.exe + 0x6f3812C:\WINDOWS\system32\ntoskrnl.exe
0xfffff8043806cd29174ntoskrnl.exe + 0x66cd29C:\WINDOWS\system32\ntoskrnl.exe
0xfffff80437e077b5174ntoskrnl.exe + 0x4077b5C:\WINDOWS\system32\ntoskrnl.exe
0x7ffc927ee61477ntdll.dll + 0x9e614C:\WINDOWS\SYSTEM32\ntdll.dll
0x7ffc904e8dcc57KERNELBASE.dll + 0x8dccC:\WINDOWS\System32\KERNELBASE.dll
0x7ffc904e63c357KERNELBASE.dll + 0x63c3C:\WINDOWS\System32\KERNELBASE.dll
0x7ffc91c1db2070KERNEL32.DLL + 0x1db20C:\WINDOWS\System32\KERNEL32.DLL
0x7ffc792a558b1214appinfo.dll + 0x558bc:\windows\system32\appinfo.dll
0x7ffc792a7bbd1214appinfo.dll + 0x7bbdc:\windows\system32\appinfo.dll
0x7ffc792a75031214appinfo.dll + 0x7503c:\windows\system32\appinfo.dll
0x7ffc792a6ba21214appinfo.dll + 0x6ba2c:\windows\system32\appinfo.dll
0x7ffc9154a0e361RPCRT4.dll + 0x7a0e3C:\WINDOWS\System32\RPCRT4.dll
0x7ffc914d27fb61RPCRT4.dll + 0x27fbC:\WINDOWS\System32\RPCRT4.dll
0x7ffc9152783861RPCRT4.dll + 0x57838C:\WINDOWS\System32\RPCRT4.dll
0x7ffc91509e0661RPCRT4.dll + 0x39e06C:\WINDOWS\System32\RPCRT4.dll
0x7ffc91509a3661RPCRT4.dll + 0x39a36C:\WINDOWS\System32\RPCRT4.dll
0x7ffc91517dbf61RPCRT4.dll + 0x47dbfC:\WINDOWS\System32\RPCRT4.dll
0x7ffc9151737861RPCRT4.dll + 0x47378C:\WINDOWS\System32\RPCRT4.dll
0x7ffc9151696161RPCRT4.dll + 0x46961C:\WINDOWS\System32\RPCRT4.dll
0x7ffc915163ce61RPCRT4.dll + 0x463ceC:\WINDOWS\System32\RPCRT4.dll
0x7ffc9151a9d261RPCRT4.dll + 0x4a9d2C:\WINDOWS\System32\RPCRT4.dll
0x7ffc9277033077ntdll.dll + 0x20330C:\WINDOWS\SYSTEM32\ntdll.dll
0x7ffc927a2f2677ntdll.dll + 0x52f26C:\WINDOWS\SYSTEM32\ntdll.dll
0x7ffc91c1703470KERNEL32.DLL + 0x17034C:\WINDOWS\System32\KERNEL32.DLL
0x7ffc927a265177ntdll.dll + 0x52651C:\WINDOWS\SYSTEM32\ntdll.dll

ProcessCreate is "Process Create" with a space in Procmon, and the corresponding detail field names for CmdLine and NewPid are "Command Line" and "PID".

See also

Posted 4 Jul 2022 last updated 15 Nov 2022   As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.

Copyright 2022, bryantlite, Inc.