Describes a single process observed by Process Monitor, including its identity, security context, and loaded modules. More...

#include <procmon.h>

Public Attributes
nstime_t	start_time
nstime_t	end_time
uint64_t	authentication_id
uint32_t	process_id
uint32_t	parent_process_id
uint32_t	parent_process_index
uint32_t	session_number
const char *	integrity
const char *	user_name
const char *	process_name
const char *	image_path
const char *	command_line
const char *	company
const char *	version
const char *	description
procmon_module_t *	modules
uint32_t	num_modules
bool	is_virtualized: 1
bool	is_64_bit: 1

Detailed Description

Describes a single process observed by Process Monitor, including its identity, security context, and loaded modules.

Member Data Documentation

◆ authentication_id

uint64_t procmon_process_t::authentication_id

Windows authentication ID (LUID) of the logon session under which this process runs.

◆ command_line

const char* procmon_process_t::command_line

Full command line string used to launch this process.

◆ company

const char* procmon_process_t::company

Company name from the executable's version resource; NULL if unavailable.

◆ description

const char* procmon_process_t::description

File description from the executable's version resource; NULL if unavailable.

◆ end_time

nstime_t procmon_process_t::end_time

Timestamp at which this process exited; zero if still running.

◆ image_path

const char* procmon_process_t::image_path

Full file system path to the process executable image.

◆ integrity

const char* procmon_process_t::integrity

Integrity level of the process (e.g. "Low", "Medium", "High", "System").

◆ is_64_bit

bool procmon_process_t::is_64_bit

True if this is a 64-bit process; false if it is a 32-bit (WOW64) process.

◆ is_virtualized

bool procmon_process_t::is_virtualized

True if this process is running under UAC virtualization.

◆ modules

procmon_module_t* procmon_process_t::modules

Array of modules loaded into this process; contains num_modules entries.

◆ num_modules

uint32_t procmon_process_t::num_modules

Number of entries in the modules array.

◆ parent_process_id

uint32_t procmon_process_t::parent_process_id

PID of the parent process that spawned this process.

◆ parent_process_index

uint32_t procmon_process_t::parent_process_index

Index into the process table of the parent process entry.

◆ process_id

uint32_t procmon_process_t::process_id

Process identifier (PID) assigned by the operating system.

◆ process_name

const char* procmon_process_t::process_name

Base name of the process executable (e.g. "notepad.exe").

◆ session_number

uint32_t procmon_process_t::session_number

Windows Terminal Services session number in which this process runs.

◆ start_time

nstime_t procmon_process_t::start_time

Timestamp at which this process was created.

◆ user_name

const char* procmon_process_t::user_name

User account name under which this process is running.

◆ version

const char* procmon_process_t::version

Version string from the executable's version resource; NULL if unavailable.

The documentation for this struct was generated from the following file:

/builds/wireshark/wireshark/wiretap/procmon.h

Public Attributes