Search notes:

Windows process

In order to run an executable program (the base image), a process is needed.
A process roughly consists of:
A process also consists of modules which are executables and DLLs.
A process is identified by its process id.
The owner of the process, his privileges and security groups are identified by an access token.
The process has virtual memory for private use available.
A process consists of one ore more threads (empty processes are possible, but not useful).
Ressources that were allocated by Windows on behalf of the processes are identified by handles (and such handles can be shown with the Sysinternals tools handle).
Two importand structures for processes are

User mode processes

User processes can be divided into four categories

Foreground process

Apparently, at most one process is the foreground process. It seems possible that no process is the foreground process.

Services

Background processes that require no user interaction are referred to as services.
Services are controlled by Service Control Manager (SCM) (whose executable is services.exe).
An important registry key is HKLM\System\CurrentControlSet\Services.
svchost.exe is apparently somehow used for shared processes.

explorer.exe

The first process that is created when a user logs in is explorer.exe.
This process thus is either directly or indirectly the parent process for all processes that the user then creates.
TODO: Is this process the shell process?

Process creation

A process is created by the WinAPI function CreateProcess().
CreateProcess()
LdrpInitialize recursively traverses the EXE's import tables and maps the found executables into memory. Then, it calls LdrpRunInitializeRoutines which in turn calls the entry points of the DLLs that were mapped into memory (using the parameter DLL_PROCESS_ATTACH).
After initialzing the DLLs, LdrpInitialize calls BaseProcesStart (in kernel32.dll) which eventually calls the exe's entry point which (probably) eventually calls main or WinMain.

Integrity levels

Each running process is assigned an integrity level which is identified by a SID
Name SID Example or comments
Untrusted(?) S-1-16-0
Low S-1-16-4096 iexplore.exe (in order to prevent spreading malware)
Medium S-1-16-8192 explorer (the shell process?), ieuser.exe, Excel
Medium+Mandatory S-1-16-8448 8448 = 8192 + 256
High S-1-16-12288 mmc.exe, setup.exe (12288 = 8448 + 2048 + 1024 + 512 + 256, that is: 256 is counted twice!)
System S-1-16-16384 svchost.exe, winlogon.exe, Windows kernel
Protected-Process(?) S-1-16-20480
Secure-Process(?) S-1-16-28672
(Source: Mario Hewardt, Daniel Pravat: Advanced Windows Debugging, chapter 15)

PowerShell

The automatic PowerShell variable $PID contains the process identifier of the process that is hosting the current Windows PowerShell session.
The get-process cmdLet returns the processes that are running locally or remotely.
Processes can be started with start-process.

Special processes

Special processes are

Querying processes

Existing processes can be queried with WMIC.exe:
Show process id and name: 
wmic process get processId,name
Show parent process id and process id of cmd.exe processes: 
wmic process where "name='cmd.exe'" get parentProcessId,ProcessId
Another possibility to query running (or stopped) processes is provided by tasklist.exe.

Getting a process' parent PID

In PowerShell, a process' parent PID can be queried like so: 
get-cimInstance win32_Process -filter "name = 'oracle.exe'" | select parentProcessId
In PowerShell Core, the object returned by get-process has a parent property which allows to query the parent process: 
get-process | where-object id -eq $pid | select-object {  $_.parent.id }
The Sysinternals tool pslist (or pslist64) shows a complete tree when invoked with the -t option.

Error mode

Each process has an associated error mode that indicates how to react to serious errors.
The error mode is set with SetErrorMode(…). MSDN recommends to call SetErrorMode with the parameter SEM_FAILCRITICALERRORS.

Terminating processes

taskkill.exe kills processes in cmd.exe (and PowerShell)
PowerShell has a specific cmdLet to termianate processes: stop-process
This cmdLet is used in the simple PowerShell script kil.ps1.
Then, there is also tskill.exe, the Remote Desktop Services End Process Utility.
kill.exe

Number of processes

In PowerShell, the number of processes can be determined with the get-counter cmdlet: 
"Number of processes: $((get-counter '\Objects\Processes').counterSamples.cookedValue)"

Misc

A process can be put into suspended state with the undocumented NtSuspendProcess native API.
A list of running processec can be obptained with NtQuerySystemInformation().

Impersonation

Impersonation is the ability of a process to take on the security attributes of another process.
See also the impersonation access token

See also

Visual Basic for Applications - PSAPI: EnumProcessModules
Each process has an input locale.
The .NET class System.Diagnostics.Process
Taskmgr.exe
All programs (processes) in Windows are ultimately started with the WinAPI function CreateProcess(). This is an VBA example to use CreateProcess.
tasklist.exe to show the currently running processes in cmd.exe.
Threads
The PowerShell command noun process
Each process has a page table that maps virtual addresses to their corresponding physical addresses.
The cmd.exe built-in start.
PEB
spyxx.exe
Linux processes
Processes that are using a CLR (Common Language Runtime) can be displayed with clrver.exe.
Processes are kernel objects.
Determining the number of processes with WMIC.exe 
wmic oc get numberOfProcesses
In Java, a new process can be started with the method exec of the class java.lang.Runtime.
In Python, a new process can be created («spawned») with the standard library module subprocess.
Process crashes are hanled by WerFault.exe

Index