viewer9 documentation Index  Home

ProcessStart PML Operation

This is the first event of the newly created process and is generally preceeded by a ProcessCreate event in the parent process.

ParentPid indicates the parent process. It should match the ProcParentPid shown in the process fields on the right. Also on the right will be a parentproc value and link, if the parent process was captured.

CmdLine shows the way the process was launched including the pathname used to call it and the arguments passed.

Env lists the environment variables of the process.

Example from 64-bit PML

Hover over field values like Time, ResultCode, and bytes of evdata in this example to see tooltips as they appear in viewer9. The tooltip of the first byte of a color patch tells the field name.

ProcessStart opcode=1,7

ev=84547

Time:2022-05-17 19:41:53.7281411
Duration:0.0000000
ResultCode:SUCCESS
Tid:7868
ParentPid:3772
CmdLine:"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2203.5-0\MpCopyAccelerator.exe"
CurDirectory:C:\WINDOWS\system32\
Env:ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\WINDOWS\system32\config\systemprofile\AppData\Roaming CommonProgramFiles=C:\Program Files\Common Files CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files CommonProgramW6432=C:\Program Files\Common Files COMPUTERNAME=WIN10X64-VM ComSpec=C:\WINDOWS\system32\cmd.exe DriverData=C:\Windows\System32\Drivers\DriverData LOCALAPPDATA=C:\WINDOWS\system32\config\systemprofile\AppData\Local NUMBER_OF_PROCESSORS=4 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC PROCESSOR_ARCHITECTURE=AMD64 PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 94 Stepping 3, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=5e03 ProgramData=C:\ProgramData ProgramFiles=C:\Program Files ProgramFiles(x86)=C:\Program Files (x86) ProgramW6432=C:\Program Files PSModulePath=%ProgramFiles%\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules PUBLIC=C:\Users\Public SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\WINDOWS\TEMP TMP=C:\WINDOWS\TEMP USERDOMAIN=WORKGROUP USERNAME=WIN10X64-VM$ USERPROFILE=C:\WINDOWS\system32\config\systemprofile windir=C:\WINDOWS

evdata[0-2895] file offset 40982764

0bc 0e 00 00 58 00 14 00 ....X...
836 05 00 00 22 00 43 00 6...".C.
163a 00 5c 00 50 00 72 00 :.\.P.r.
246f 00 67 00 72 00 61 00 o.g.r.a.
326d 00 44 00 61 00 74 00 m.D.a.t.
4061 00 5c 00 4d 00 69 00 a.\.M.i.
4863 00 72 00 6f 00 73 00 c.r.o.s.
566f 00 66 00 74 00 5c 00 o.f.t.\.
6457 00 69 00 6e 00 64 00 W.i.n.d.
726f 00 77 00 73 00 20 00 o.w.s. .
8044 00 65 00 66 00 65 00 D.e.f.e.
886e 00 64 00 65 00 72 00 n.d.e.r.
965c 00 50 00 6c 00 61 00 \.P.l.a.
10474 00 66 00 6f 00 72 00 t.f.o.r.
1126d 00 5c 00 34 00 2e 00 m.\.4...
12031 00 38 00 2e 00 32 00 1.8...2.
12832 00 30 00 33 00 2e 00 2.0.3...
13635 00 2d 00 30 00 5c 00 5.-.0.\.
1444d 00 70 00 43 00 6f 00 M.p.C.o.
15270 00 79 00 41 00 63 00 p.y.A.c.
16063 00 65 00 6c 00 65 00 c.e.l.e.
16872 00 61 00 74 00 6f 00 r.a.t.o.
17672 00 2e 00 65 00 78 00 r...e.x.
18465 00 22 00 43 00 3a 00 e.".C.:.
1925c 00 57 00 49 00 4e 00 \.W.I.N.
20044 00 4f 00 57 00 53 00 D.O.W.S.
2085c 00 73 00 79 00 73 00 \.s.y.s.
21674 00 65 00 6d 00 33 00 t.e.m.3.
22432 00 5c 00 41 00 4c 00 2.\.A.L.
2324c 00 55 00 53 00 45 00 L.U.S.E.
24052 00 53 00 50 00 52 00 R.S.P.R.
2484f 00 46 00 49 00 4c 00 O.F.I.L.
25645 00 3d 00 43 00 3a 00 E.=.C.:.
2645c 00 50 00 72 00 6f 00 \.P.r.o.
27267 00 72 00 61 00 6d 00 g.r.a.m.
28044 00 61 00 74 00 61 00 D.a.t.a.
28800 00 41 00 50 00 50 00 ..A.P.P.
29644 00 41 00 54 00 41 00 D.A.T.A.
3043d 00 43 00 3a 00 5c 00 =.C.:.\.
31257 00 49 00 4e 00 44 00 W.I.N.D.
3204f 00 57 00 53 00 5c 00 O.W.S.\.
32873 00 79 00 73 00 74 00 s.y.s.t.
33665 00 6d 00 33 00 32 00 e.m.3.2.
3445c 00 63 00 6f 00 6e 00 \.c.o.n.
35266 00 69 00 67 00 5c 00 f.i.g.\.
36073 00 79 00 73 00 74 00 s.y.s.t.
36865 00 6d 00 70 00 72 00 e.m.p.r.
3766f 00 66 00 69 00 6c 00 o.f.i.l.
38465 00 5c 00 41 00 70 00 e.\.A.p.
39270 00 44 00 61 00 74 00 p.D.a.t.
40061 00 5c 00 52 00 6f 00 a.\.R.o.
40861 00 6d 00 69 00 6e 00 a.m.i.n.
41667 00 00 00 43 00 6f 00 g...C.o.
4246d 00 6d 00 6f 00 6e 00 m.m.o.n.
43250 00 72 00 6f 00 67 00 P.r.o.g.
44072 00 61 00 6d 00 46 00 r.a.m.F.
44869 00 6c 00 65 00 73 00 i.l.e.s.
4563d 00 43 00 3a 00 5c 00 =.C.:.\.
46450 00 72 00 6f 00 67 00 P.r.o.g.
47272 00 61 00 6d 00 20 00 r.a.m. .
48046 00 69 00 6c 00 65 00 F.i.l.e.
48873 00 5c 00 43 00 6f 00 s.\.C.o.
4966d 00 6d 00 6f 00 6e 00 m.m.o.n.
50420 00 46 00 69 00 6c 00 .F.i.l.
51265 00 73 00 00 00 43 00 e.s...C.
5206f 00 6d 00 6d 00 6f 00 o.m.m.o.
5286e 00 50 00 72 00 6f 00 n.P.r.o.
53667 00 72 00 61 00 6d 00 g.r.a.m.
54446 00 69 00 6c 00 65 00 F.i.l.e.
55273 00 28 00 78 00 38 00 s.(.x.8.
56036 00 29 00 3d 00 43 00 6.).=.C.
5683a 00 5c 00 50 00 72 00 :.\.P.r.
5766f 00 67 00 72 00 61 00 o.g.r.a.
5846d 00 20 00 46 00 69 00 m. .F.i.
5926c 00 65 00 73 00 20 00 l.e.s. .
60028 00 78 00 38 00 36 00 (.x.8.6.
60829 00 5c 00 43 00 6f 00 ).\.C.o.
6166d 00 6d 00 6f 00 6e 00 m.m.o.n.
62420 00 46 00 69 00 6c 00 .F.i.l.
63265 00 73 00 00 00 43 00 e.s...C.
6406f 00 6d 00 6d 00 6f 00 o.m.m.o.
6486e 00 50 00 72 00 6f 00 n.P.r.o.
65667 00 72 00 61 00 6d 00 g.r.a.m.
66457 00 36 00 34 00 33 00 W.6.4.3.
67232 00 3d 00 43 00 3a 00 2.=.C.:.
6805c 00 50 00 72 00 6f 00 \.P.r.o.
68867 00 72 00 61 00 6d 00 g.r.a.m.
69620 00 46 00 69 00 6c 00 .F.i.l.
70465 00 73 00 5c 00 43 00 e.s.\.C.
7126f 00 6d 00 6d 00 6f 00 o.m.m.o.
7206e 00 20 00 46 00 69 00 n. .F.i.
7286c 00 65 00 73 00 00 00 l.e.s...
73643 00 4f 00 4d 00 50 00 C.O.M.P.
74455 00 54 00 45 00 52 00 U.T.E.R.
7524e 00 41 00 4d 00 45 00 N.A.M.E.
7603d 00 57 00 49 00 4e 00 =.W.I.N.
76831 00 30 00 58 00 36 00 1.0.X.6.
77634 00 2d 00 56 00 4d 00 4.-.V.M.
78400 00 43 00 6f 00 6d 00 ..C.o.m.
79253 00 70 00 65 00 63 00 S.p.e.c.
8003d 00 43 00 3a 00 5c 00 =.C.:.\.
80857 00 49 00 4e 00 44 00 W.I.N.D.
8164f 00 57 00 53 00 5c 00 O.W.S.\.
82473 00 79 00 73 00 74 00 s.y.s.t.
83265 00 6d 00 33 00 32 00 e.m.3.2.
8405c 00 63 00 6d 00 64 00 \.c.m.d.
8482e 00 65 00 78 00 65 00 ..e.x.e.
85600 00 44 00 72 00 69 00 ..D.r.i.
86476 00 65 00 72 00 44 00 v.e.r.D.
87261 00 74 00 61 00 3d 00 a.t.a.=.
88043 00 3a 00 5c 00 57 00 C.:.\.W.
88869 00 6e 00 64 00 6f 00 i.n.d.o.
89677 00 73 00 5c 00 53 00 w.s.\.S.
90479 00 73 00 74 00 65 00 y.s.t.e.
9126d 00 33 00 32 00 5c 00 m.3.2.\.
92044 00 72 00 69 00 76 00 D.r.i.v.
92865 00 72 00 73 00 5c 00 e.r.s.\.
93644 00 72 00 69 00 76 00 D.r.i.v.
94465 00 72 00 44 00 61 00 e.r.D.a.
95274 00 61 00 00 00 4c 00 t.a...L.
9604f 00 43 00 41 00 4c 00 O.C.A.L.
96841 00 50 00 50 00 44 00 A.P.P.D.
97641 00 54 00 41 00 3d 00 A.T.A.=.
98443 00 3a 00 5c 00 57 00 C.:.\.W.
99249 00 4e 00 44 00 4f 00 I.N.D.O.
100057 00 53 00 5c 00 73 00 W.S.\.s.
100879 00 73 00 74 00 65 00 y.s.t.e.
10166d 00 33 00 32 00 5c 00 m.3.2.\.
102463 00 6f 00 6e 00 66 00 c.o.n.f.
103269 00 67 00 5c 00 73 00 i.g.\.s.
104079 00 73 00 74 00 65 00 y.s.t.e.
10486d 00 70 00 72 00 6f 00 m.p.r.o.
105666 00 69 00 6c 00 65 00 f.i.l.e.
10645c 00 41 00 70 00 70 00 \.A.p.p.
107244 00 61 00 74 00 61 00 D.a.t.a.
10805c 00 4c 00 6f 00 63 00 \.L.o.c.
108861 00 6c 00 00 00 4e 00 a.l...N.
109655 00 4d 00 42 00 45 00 U.M.B.E.
110452 00 5f 00 4f 00 46 00 R._.O.F.
11125f 00 50 00 52 00 4f 00 _.P.R.O.
112043 00 45 00 53 00 53 00 C.E.S.S.
11284f 00 52 00 53 00 3d 00 O.R.S.=.
113634 00 00 00 4f 00 53 00 4...O.S.
11443d 00 57 00 69 00 6e 00 =.W.i.n.
115264 00 6f 00 77 00 73 00 d.o.w.s.
11605f 00 4e 00 54 00 00 00 _.N.T...
116850 00 61 00 74 00 68 00 P.a.t.h.
11763d 00 43 00 3a 00 5c 00 =.C.:.\.
118457 00 49 00 4e 00 44 00 W.I.N.D.
11924f 00 57 00 53 00 5c 00 O.W.S.\.
120073 00 79 00 73 00 74 00 s.y.s.t.
120865 00 6d 00 33 00 32 00 e.m.3.2.
12163b 00 43 00 3a 00 5c 00 ;.C.:.\.
122457 00 49 00 4e 00 44 00 W.I.N.D.
12324f 00 57 00 53 00 3b 00 O.W.S.;.
124043 00 3a 00 5c 00 57 00 C.:.\.W.
124849 00 4e 00 44 00 4f 00 I.N.D.O.
125657 00 53 00 5c 00 53 00 W.S.\.S.
126479 00 73 00 74 00 65 00 y.s.t.e.
12726d 00 33 00 32 00 5c 00 m.3.2.\.
128057 00 62 00 65 00 6d 00 W.b.e.m.
12883b 00 43 00 3a 00 5c 00 ;.C.:.\.
129657 00 49 00 4e 00 44 00 W.I.N.D.
13044f 00 57 00 53 00 5c 00 O.W.S.\.
131253 00 79 00 73 00 74 00 S.y.s.t.
132065 00 6d 00 33 00 32 00 e.m.3.2.
13285c 00 57 00 69 00 6e 00 \.W.i.n.
133664 00 6f 00 77 00 73 00 d.o.w.s.
134450 00 6f 00 77 00 65 00 P.o.w.e.
135272 00 53 00 68 00 65 00 r.S.h.e.
13606c 00 6c 00 5c 00 76 00 l.l.\.v.
136831 00 2e 00 30 00 5c 00 1...0.\.
13763b 00 43 00 3a 00 5c 00 ;.C.:.\.
138457 00 49 00 4e 00 44 00 W.I.N.D.
13924f 00 57 00 53 00 5c 00 O.W.S.\.
140053 00 79 00 73 00 74 00 S.y.s.t.
140865 00 6d 00 33 00 32 00 e.m.3.2.
14165c 00 4f 00 70 00 65 00 \.O.p.e.
14246e 00 53 00 53 00 48 00 n.S.S.H.
14325c 00 3b 00 43 00 3a 00 \.;.C.:.
14405c 00 57 00 49 00 4e 00 \.W.I.N.
144844 00 4f 00 57 00 53 00 D.O.W.S.
14565c 00 73 00 79 00 73 00 \.s.y.s.
146474 00 65 00 6d 00 33 00 t.e.m.3.
147232 00 5c 00 63 00 6f 00 2.\.c.o.
14806e 00 66 00 69 00 67 00 n.f.i.g.
14885c 00 73 00 79 00 73 00 \.s.y.s.
149674 00 65 00 6d 00 70 00 t.e.m.p.
150472 00 6f 00 66 00 69 00 r.o.f.i.
15126c 00 65 00 5c 00 41 00 l.e.\.A.
152070 00 70 00 44 00 61 00 p.p.D.a.
152874 00 61 00 5c 00 4c 00 t.a.\.L.
15366f 00 63 00 61 00 6c 00 o.c.a.l.
15445c 00 4d 00 69 00 63 00 \.M.i.c.
155272 00 6f 00 73 00 6f 00 r.o.s.o.
156066 00 74 00 5c 00 57 00 f.t.\.W.
156869 00 6e 00 64 00 6f 00 i.n.d.o.
157677 00 73 00 41 00 70 00 w.s.A.p.
158470 00 73 00 00 00 50 00 p.s...P.
159241 00 54 00 48 00 45 00 A.T.H.E.
160058 00 54 00 3d 00 2e 00 X.T.=...
160843 00 4f 00 4d 00 3b 00 C.O.M.;.
16162e 00 45 00 58 00 45 00 ..E.X.E.
16243b 00 2e 00 42 00 41 00 ;...B.A.
163254 00 3b 00 2e 00 43 00 T.;...C.
16404d 00 44 00 3b 00 2e 00 M.D.;...
164856 00 42 00 53 00 3b 00 V.B.S.;.
16562e 00 56 00 42 00 45 00 ..V.B.E.
16643b 00 2e 00 4a 00 53 00 ;...J.S.
16723b 00 2e 00 4a 00 53 00 ;...J.S.
168045 00 3b 00 2e 00 57 00 E.;...W.
168853 00 46 00 3b 00 2e 00 S.F.;...
169657 00 53 00 48 00 3b 00 W.S.H.;.
17042e 00 4d 00 53 00 43 00 ..M.S.C.
171200 00 50 00 52 00 4f 00 ..P.R.O.
172043 00 45 00 53 00 53 00 C.E.S.S.
17284f 00 52 00 5f 00 41 00 O.R._.A.
173652 00 43 00 48 00 49 00 R.C.H.I.
174454 00 45 00 43 00 54 00 T.E.C.T.
175255 00 52 00 45 00 3d 00 U.R.E.=.
176041 00 4d 00 44 00 36 00 A.M.D.6.
176834 00 00 00 50 00 52 00 4...P.R.
17764f 00 43 00 45 00 53 00 O.C.E.S.
178453 00 4f 00 52 00 5f 00 S.O.R._.
179249 00 44 00 45 00 4e 00 I.D.E.N.
180054 00 49 00 46 00 49 00 T.I.F.I.
180845 00 52 00 3d 00 49 00 E.R.=.I.
18166e 00 74 00 65 00 6c 00 n.t.e.l.
182436 00 34 00 20 00 46 00 6.4. .F.
183261 00 6d 00 69 00 6c 00 a.m.i.l.
184079 00 20 00 36 00 20 00 y. .6. .
18484d 00 6f 00 64 00 65 00 M.o.d.e.
18566c 00 20 00 39 00 34 00 l. .9.4.
186420 00 53 00 74 00 65 00 .S.t.e.
187270 00 70 00 69 00 6e 00 p.p.i.n.
188067 00 20 00 33 00 2c 00 g. .3.,.
188820 00 47 00 65 00 6e 00 .G.e.n.
189675 00 69 00 6e 00 65 00 u.i.n.e.
190449 00 6e 00 74 00 65 00 I.n.t.e.
19126c 00 00 00 50 00 52 00 l...P.R.
19204f 00 43 00 45 00 53 00 O.C.E.S.
192853 00 4f 00 52 00 5f 00 S.O.R._.
19364c 00 45 00 56 00 45 00 L.E.V.E.
19444c 00 3d 00 36 00 00 00 L.=.6...
195250 00 52 00 4f 00 43 00 P.R.O.C.
196045 00 53 00 53 00 4f 00 E.S.S.O.
196852 00 5f 00 52 00 45 00 R._.R.E.
197656 00 49 00 53 00 49 00 V.I.S.I.
19844f 00 4e 00 3d 00 35 00 O.N.=.5.
199265 00 30 00 33 00 00 00 e.0.3...
200050 00 72 00 6f 00 67 00 P.r.o.g.
200872 00 61 00 6d 00 44 00 r.a.m.D.
201661 00 74 00 61 00 3d 00 a.t.a.=.
202443 00 3a 00 5c 00 50 00 C.:.\.P.
203272 00 6f 00 67 00 72 00 r.o.g.r.
204061 00 6d 00 44 00 61 00 a.m.D.a.
204874 00 61 00 00 00 50 00 t.a...P.
205672 00 6f 00 67 00 72 00 r.o.g.r.
206461 00 6d 00 46 00 69 00 a.m.F.i.
20726c 00 65 00 73 00 3d 00 l.e.s.=.
208043 00 3a 00 5c 00 50 00 C.:.\.P.
208872 00 6f 00 67 00 72 00 r.o.g.r.
209661 00 6d 00 20 00 46 00 a.m. .F.
210469 00 6c 00 65 00 73 00 i.l.e.s.
211200 00 50 00 72 00 6f 00 ..P.r.o.
212067 00 72 00 61 00 6d 00 g.r.a.m.
212846 00 69 00 6c 00 65 00 F.i.l.e.
213673 00 28 00 78 00 38 00 s.(.x.8.
214436 00 29 00 3d 00 43 00 6.).=.C.
21523a 00 5c 00 50 00 72 00 :.\.P.r.
21606f 00 67 00 72 00 61 00 o.g.r.a.
21686d 00 20 00 46 00 69 00 m. .F.i.
21766c 00 65 00 73 00 20 00 l.e.s. .
218428 00 78 00 38 00 36 00 (.x.8.6.
219229 00 00 00 50 00 72 00 )...P.r.
22006f 00 67 00 72 00 61 00 o.g.r.a.
22086d 00 57 00 36 00 34 00 m.W.6.4.
221633 00 32 00 3d 00 43 00 3.2.=.C.
22243a 00 5c 00 50 00 72 00 :.\.P.r.
22326f 00 67 00 72 00 61 00 o.g.r.a.
22406d 00 20 00 46 00 69 00 m. .F.i.
22486c 00 65 00 73 00 00 00 l.e.s...
225650 00 53 00 4d 00 6f 00 P.S.M.o.
226464 00 75 00 6c 00 65 00 d.u.l.e.
227250 00 61 00 74 00 68 00 P.a.t.h.
22803d 00 25 00 50 00 72 00 =.%.P.r.
22886f 00 67 00 72 00 61 00 o.g.r.a.
22966d 00 46 00 69 00 6c 00 m.F.i.l.
230465 00 73 00 25 00 5c 00 e.s.%.\.
231257 00 69 00 6e 00 64 00 W.i.n.d.
23206f 00 77 00 73 00 50 00 o.w.s.P.
23286f 00 77 00 65 00 72 00 o.w.e.r.
233653 00 68 00 65 00 6c 00 S.h.e.l.
23446c 00 5c 00 4d 00 6f 00 l.\.M.o.
235264 00 75 00 6c 00 65 00 d.u.l.e.
236073 00 3b 00 43 00 3a 00 s.;.C.:.
23685c 00 57 00 49 00 4e 00 \.W.I.N.
237644 00 4f 00 57 00 53 00 D.O.W.S.
23845c 00 73 00 79 00 73 00 \.s.y.s.
239274 00 65 00 6d 00 33 00 t.e.m.3.
240032 00 5c 00 57 00 69 00 2.\.W.i.
24086e 00 64 00 6f 00 77 00 n.d.o.w.
241673 00 50 00 6f 00 77 00 s.P.o.w.
242465 00 72 00 53 00 68 00 e.r.S.h.
243265 00 6c 00 6c 00 5c 00 e.l.l.\.
244076 00 31 00 2e 00 30 00 v.1...0.
24485c 00 4d 00 6f 00 64 00 \.M.o.d.
245675 00 6c 00 65 00 73 00 u.l.e.s.
246400 00 50 00 55 00 42 00 ..P.U.B.
24724c 00 49 00 43 00 3d 00 L.I.C.=.
248043 00 3a 00 5c 00 55 00 C.:.\.U.
248873 00 65 00 72 00 73 00 s.e.r.s.
24965c 00 50 00 75 00 62 00 \.P.u.b.
25046c 00 69 00 63 00 00 00 l.i.c...
251253 00 79 00 73 00 74 00 S.y.s.t.
252065 00 6d 00 44 00 72 00 e.m.D.r.
252869 00 76 00 65 00 3d 00 i.v.e.=.
253643 00 3a 00 00 00 53 00 C.:...S.
254479 00 73 00 74 00 65 00 y.s.t.e.
25526d 00 52 00 6f 00 6f 00 m.R.o.o.
256074 00 3d 00 43 00 3a 00 t.=.C.:.
25685c 00 57 00 49 00 4e 00 \.W.I.N.
257644 00 4f 00 57 00 53 00 D.O.W.S.
258400 00 54 00 45 00 4d 00 ..T.E.M.
259250 00 3d 00 43 00 3a 00 P.=.C.:.
26005c 00 57 00 49 00 4e 00 \.W.I.N.
260844 00 4f 00 57 00 53 00 D.O.W.S.
26165c 00 54 00 45 00 4d 00 \.T.E.M.
262450 00 00 00 54 00 4d 00 P...T.M.
263250 00 3d 00 43 00 3a 00 P.=.C.:.
26405c 00 57 00 49 00 4e 00 \.W.I.N.
264844 00 4f 00 57 00 53 00 D.O.W.S.
26565c 00 54 00 45 00 4d 00 \.T.E.M.
266450 00 00 00 55 00 53 00 P...U.S.
267245 00 52 00 44 00 4f 00 E.R.D.O.
26804d 00 41 00 49 00 4e 00 M.A.I.N.
26883d 00 57 00 4f 00 52 00 =.W.O.R.
26964b 00 47 00 52 00 4f 00 K.G.R.O.
270455 00 50 00 00 00 55 00 U.P...U.
271253 00 45 00 52 00 4e 00 S.E.R.N.
272041 00 4d 00 45 00 3d 00 A.M.E.=.
272857 00 49 00 4e 00 31 00 W.I.N.1.
273630 00 58 00 36 00 34 00 0.X.6.4.
27442d 00 56 00 4d 00 24 00 -.V.M.$.
275200 00 55 00 53 00 45 00 ..U.S.E.
276052 00 50 00 52 00 4f 00 R.P.R.O.
276846 00 49 00 4c 00 45 00 F.I.L.E.
27763d 00 43 00 3a 00 5c 00 =.C.:.\.
278457 00 49 00 4e 00 44 00 W.I.N.D.
27924f 00 57 00 53 00 5c 00 O.W.S.\.
280073 00 79 00 73 00 74 00 s.y.s.t.
280865 00 6d 00 33 00 32 00 e.m.3.2.
28165c 00 63 00 6f 00 6e 00 \.c.o.n.
282466 00 69 00 67 00 5c 00 f.i.g.\.
283273 00 79 00 73 00 74 00 s.y.s.t.
284065 00 6d 00 70 00 72 00 e.m.p.r.
28486f 00 66 00 69 00 6c 00 o.f.i.l.
285665 00 00 00 77 00 69 00 e...w.i.
28646e 00 64 00 69 00 72 00 n.d.i.r.
28723d 00 43 00 3a 00 5c 00 =.C.:.\.
288057 00 49 00 4e 00 44 00 W.I.N.D.
28884f 00 57 00 53 00 00 00 O.W.S...

Call Stack stacksize=19

StackAddressmodModNameModPath
0xfffff80438037e56174ntoskrnl.exe + 0x637e56C:\WINDOWS\system32\ntoskrnl.exe
0xfffff804380f3856174ntoskrnl.exe + 0x6f3856C:\WINDOWS\system32\ntoskrnl.exe
0xfffff8043806cd29174ntoskrnl.exe + 0x66cd29C:\WINDOWS\system32\ntoskrnl.exe
0xfffff80437e077b5174ntoskrnl.exe + 0x4077b5C:\WINDOWS\system32\ntoskrnl.exe
0x7ffc927ee614
0x7ffc904e8dcc
0x7ffc904e7106
0x7ffc91c1cbb4
0x7ffc7df37a6e
0x7ffc754176c4
0x7ffc7541d64b
0x7ffc7539631c
0x7ffc75394c41
0x7ffc7535579b
0x7ffc7df461d3
0x7ffc927b2150
0x7ffc927a315a
0x7ffc91c17034
0x7ffc927a2651

ProcessStart is "Process Start" with a space in Procmon. And likewise, the corresponding detail field names are different in Procmon: ParentPid is Parent PID, CmdLine is Command line, CurDirectory is Current directory, Env is Environment.

See also

Posted 4 Jul 2022 last updated 15 Nov 2022   As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.

Copyright 2022, bryantlite, Inc.