none
Inquery-source code of process explore or idea for PhD research RRS feed

  • Question

  • Hi Dear

    I am a PhD student that working on finding out what is happened among log file. currently I work on windows event, security events to extract the chain of events. Process explorer can find the relationship between object and process very well. I am looking up the log file to find the correlation between them. But I find out the process ID, session ID and ... are changes. So, I am wondering to know which feature you used as a key, to make the chain of correlation. I hope you could help me to find out more information about the implementation of Process Explorer and used them in my research. I would be appreciated if you code share part of your code to help me undrestand how you detect the corelations.

    I am looking forward to hearing from you.

    Best Regards,

    Neda

    Friday, August 23, 2019 4:09 AM

All replies

  • As you noticed, Process Id can be reused by windows, so it's difficult to correlate them.

    For this reason, MarkRuss created Sysmon, where he use a field called Correlation ID in order to relate a process to another always, independently of the Windows PID.. 

    Try it and examine it's event log.. it's awesome..

    HTH
    -mario 

    Friday, August 23, 2019 7:24 AM