±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35886
New Yesterday: 2 Visitors: 137

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows 8.1 x64 Process ID behaviour

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

redcat
Senior Member
 

Windows 8.1 x64 Process ID behaviour

Post Posted: Oct 18, 18 12:28

Does anybody out there know off the top of their heads how Windows 8.1 (or 10) behaves in terms of allocating and then releasing and/or reissuing PIDs please? Specifically if process A gets PID 1234 then the process quits out how soon could process B pick up PID 1234 afterwards?

How are PIDs issued for that matter, is it just random based on what's available (apart from specific examples like PID 4 for system) or is there some pattern to it?

TIA for any wisdom. I am researching it myself so will update this if I find anything useful to the community.  
 
  

athulin
Senior Member
 

Re: Windows 8.1 x64 Process ID behaviour

Post Posted: Oct 18, 18 16:44

- redcat
Does anybody out there know off the top of their heads how Windows 8.1 (or 10) behaves in terms of allocating and then releasing and/or reissuing PIDs please? Specifically if process A gets PID 1234 then the process quits out how soon could process B pick up PID 1234 afterwards?


As far as I know, it's random or sufficiently close to random to make little practical difference. But that's based on hearsay ...

Should not be too difficult to collect a sequence ... start a process with a distinctive name, get pid with tasklist, kill process with taskkill ... add some scripting language of preference. (Might even be doable with the Linux Bash shell ... where you could probably do just 'runme &', 'tasklist | grep -a runme' and 'kill %1', where runme could be a renamed windows binary, like notepad or calc)

Added: based on

Code:
FOR /L %%I IN (1, 1, 20000) DO (
  START /MIN notepad.exe
  TASKKILL /FI "IMAGENAME eq notepad.exe"
)

and the output from the TASKKILL command, process IDs vary between 32 and 12284, and are always 0 (mod 4). Which means there are something like 3000 potential PIDs. (??? really?)

Around 850 were observed, and the duplication of assigned PIDs varied from around 50 down to 1.

Entropy analysis of assigned pids suggest that they are far from random ... but a possible source of errors might be that CMD starts processes for START and TASKKILL, and that these bias notepad PID asignment. Probably needs more complex test beds to avoid that kind of problem.  
 

Page 1 of 1