FS_SysInfo_Process
The directory sys/proc exists as a sub-directory to the file system root.
The directory contains process related information in a convenient tree format.
The files in the sys/proc directory are listed in the table below:
| File | Description |
|---|---|
| proc.txt | Process tree - list processes and their parent processes in a tree view. |
| proc-v.txt | Process tree verbose - also list process image path and command line. |
| proc-time.txt | Process list - sorted by creation time. |
Files in the sys/proc directory are read-only.
The file proc.txt contains a per-pid tree view of the known processes in the system. The view includes all processes including terminated ones.
32 Process is 32-bit on 64-bit Windows.
E Process is NOT found in EPROCESS list (memory corruption, drift or unlink)
T Process is terminated
U Process is user-account (non-system user)
* Process is outside standard paths.
Process Pid Parent Flag User Create Time Exit Time
--------------------------------------------------------------------------------------------------------
- System 4 0 SYSTEM 2020-08-01 19:20:20 UTC ***
-- Registry 88 4 SYSTEM 2020-08-01 19:20:10 UTC ***
-- smss.exe 304 4 SYSTEM 2020-08-01 19:20:20 UTC ***
-- MemCompression 1592 4 SYSTEM 2020-08-01 19:20:31 UTC ***
- csrss.exe 396 388 SYSTEM 2020-08-01 19:20:24 UTC ***
- wininit.exe 468 388 SYSTEM 2020-08-01 19:20:25 UTC ***
-- services.exe 604 468 SYSTEM 2020-08-01 19:20:26 UTC ***
...
-- userinit.exe 3996 564 TU JohnSmith 2020-08-01 19:36:12 UTC 2020-08-01 19:40:09 UTC
--- explorer.exe 4028 3996 U JohnSmith 2020-08-01 19:20:58 UTC ***
---- mspaint.exe 1832 4028 E U JohnSmith 2020-08-01 19:21:56 UTC ***
---- OneDrive.exe 8904 5896 32 U JohnSmith 2020-08-01 19:21:56 UTC ***
...
The example shows the sys/proc directory and the ordinary non-verbose process tree.
The sys/proc sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_sys_proc.c in the vmm project.