viewer9 documentation | Index Home |
ProcessCreate PML Operation
This operation occurs in the parent process shortly before the ProcessStart event occurs in the newly created child process.
NewPid ("PID" in Procmon) is the pid of the process being created, as distinguished from the Pid of the event (the parent process).
CreatedTime is not displayed in Procmon, but it is the timestamp supplied in the binary data at evdata[24] (see PML Binary Data and Results Offsets). It is generally shortly before the Time of this event.
Example from 64-bit PML
Hover over field values like Time, ResultCode, CreatedTime, and bytes of evdata in this example to see tooltips as they appear in viewer9. The tooltip of the first byte of a color patch tells the field name.
ProcessCreate opcode=1,1
ev=31589
Time: | 2022-05-17 19:41:48.3374482 |
Duration: | 0.0000000 |
ResultCode: | SUCCESS |
Tid: | 8208 |
Path: | C:\WINDOWS\system32\consent.exe |
CmdLine: | consent.exe 8400 1066 0000024884624C60 |
CreatedTime: | 2022-05-17 19:41:48.3374464 |
NewPid: | 2264 |
evdata[0-215] file offset 17353305
0 | 10 01 00 00 d8 08 00 00 | ........ |
8 | 0b 01 00 00 d0 20 00 00 | ..... .. |
16 | 01 00 00 00 01 00 00 00 | ........ |
24 | 80 83 e5 ac 47 6a d8 01 | ....Gj.. |
32 | e7 03 00 00 00 00 00 00 | ........ |
40 | 00 00 00 00 0c 0c 1f 00 | ........ |
48 | 26 00 ff 37 01 01 00 00 | &..7.... |
56 | 00 00 00 05 12 00 00 00 | ........ |
64 | 01 01 00 00 00 00 00 10 | ........ |
72 | 00 40 00 00 43 00 3a 00 | .@..C.:. |
80 | 5c 00 57 00 49 00 4e 00 | \.W.I.N. |
88 | 44 00 4f 00 57 00 53 00 | D.O.W.S. |
96 | 5c 00 73 00 79 00 73 00 | \.s.y.s. |
104 | 74 00 65 00 6d 00 33 00 | t.e.m.3. |
112 | 32 00 5c 00 63 00 6f 00 | 2.\.c.o. |
120 | 6e 00 73 00 65 00 6e 00 | n.s.e.n. |
128 | 74 00 2e 00 65 00 78 00 | t...e.x. |
136 | 65 00 63 00 6f 00 6e 00 | e.c.o.n. |
144 | 73 00 65 00 6e 00 74 00 | s.e.n.t. |
152 | 2e 00 65 00 78 00 65 00 | ..e.x.e. |
160 | 20 00 38 00 34 00 30 00 | .8.4.0. |
168 | 30 00 20 00 31 00 30 00 | 0. .1.0. |
176 | 36 00 36 00 20 00 30 00 | 6.6. .0. |
184 | 30 00 30 00 30 00 30 00 | 0.0.0.0. |
192 | 32 00 34 00 38 00 38 00 | 2.4.8.8. |
200 | 34 00 36 00 32 00 34 00 | 4.6.2.4. |
208 | 43 00 36 00 30 00 00 00 | C.6.0... |
Call Stack stacksize=26
StackAddress | mod | ModName | ModPath |
---|---|---|---|
0xfffff80438037a8f | 174 | ntoskrnl.exe + 0x637a8f | C:\WINDOWS\system32\ntoskrnl.exe |
0xfffff804380f3812 | 174 | ntoskrnl.exe + 0x6f3812 | C:\WINDOWS\system32\ntoskrnl.exe |
0xfffff8043806cd29 | 174 | ntoskrnl.exe + 0x66cd29 | C:\WINDOWS\system32\ntoskrnl.exe |
0xfffff80437e077b5 | 174 | ntoskrnl.exe + 0x4077b5 | C:\WINDOWS\system32\ntoskrnl.exe |
0x7ffc927ee614 | 77 | ntdll.dll + 0x9e614 | C:\WINDOWS\SYSTEM32\ntdll.dll |
0x7ffc904e8dcc | 57 | KERNELBASE.dll + 0x8dcc | C:\WINDOWS\System32\KERNELBASE.dll |
0x7ffc904e63c3 | 57 | KERNELBASE.dll + 0x63c3 | C:\WINDOWS\System32\KERNELBASE.dll |
0x7ffc91c1db20 | 70 | KERNEL32.DLL + 0x1db20 | C:\WINDOWS\System32\KERNEL32.DLL |
0x7ffc792a558b | 1214 | appinfo.dll + 0x558b | c:\windows\system32\appinfo.dll |
0x7ffc792a7bbd | 1214 | appinfo.dll + 0x7bbd | c:\windows\system32\appinfo.dll |
0x7ffc792a7503 | 1214 | appinfo.dll + 0x7503 | c:\windows\system32\appinfo.dll |
0x7ffc792a6ba2 | 1214 | appinfo.dll + 0x6ba2 | c:\windows\system32\appinfo.dll |
0x7ffc9154a0e3 | 61 | RPCRT4.dll + 0x7a0e3 | C:\WINDOWS\System32\RPCRT4.dll |
0x7ffc914d27fb | 61 | RPCRT4.dll + 0x27fb | C:\WINDOWS\System32\RPCRT4.dll |
0x7ffc91527838 | 61 | RPCRT4.dll + 0x57838 | C:\WINDOWS\System32\RPCRT4.dll |
0x7ffc91509e06 | 61 | RPCRT4.dll + 0x39e06 | C:\WINDOWS\System32\RPCRT4.dll |
0x7ffc91509a36 | 61 | RPCRT4.dll + 0x39a36 | C:\WINDOWS\System32\RPCRT4.dll |
0x7ffc91517dbf | 61 | RPCRT4.dll + 0x47dbf | C:\WINDOWS\System32\RPCRT4.dll |
0x7ffc91517378 | 61 | RPCRT4.dll + 0x47378 | C:\WINDOWS\System32\RPCRT4.dll |
0x7ffc91516961 | 61 | RPCRT4.dll + 0x46961 | C:\WINDOWS\System32\RPCRT4.dll |
0x7ffc915163ce | 61 | RPCRT4.dll + 0x463ce | C:\WINDOWS\System32\RPCRT4.dll |
0x7ffc9151a9d2 | 61 | RPCRT4.dll + 0x4a9d2 | C:\WINDOWS\System32\RPCRT4.dll |
0x7ffc92770330 | 77 | ntdll.dll + 0x20330 | C:\WINDOWS\SYSTEM32\ntdll.dll |
0x7ffc927a2f26 | 77 | ntdll.dll + 0x52f26 | C:\WINDOWS\SYSTEM32\ntdll.dll |
0x7ffc91c17034 | 70 | KERNEL32.DLL + 0x17034 | C:\WINDOWS\System32\KERNEL32.DLL |
0x7ffc927a2651 | 77 | ntdll.dll + 0x52651 | C:\WINDOWS\SYSTEM32\ntdll.dll |
ProcessCreate is "Process Create" with a space in Procmon, and the corresponding detail field names for CmdLine and NewPid are "Command Line" and "PID".
See also
Posted 4 Jul 2022 last updated 15 Nov 2022 As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.
Copyright 2022, bryantlite, Inc.