はじめに
この記事は、実機にメモリダンプを行い、中身がどうなっているのかを勉強する目的で投稿しています。投稿者は初心者であるため、誤解していることがあればコメントをお願いします。メモリダンプについてはFTK Imager、解析にはVolatility3を使用しています。
再度言いますが、初心者です。どうか温かい目で見守ってください。
前回のあらすじ
windows.pslist.PsListでメモリ内部のプロセスのメタ情報を一覧で表示、有名なプロセスの役割を学んだ!
プロセスの親子関係
前回、プロセスには3つほど種類があると紹介しましたが、どのプロセスがどんな基準で分類されるのかがよく分かりませんでした。
そこでAI君に助けを求めたところ、プロセスの親子関係でどの種類に属するのかを大体把握することができると返してくれました。
プロセスの親子関係を知るためにはVolatility3のwindows.pstree.PsTreeが有効です。
さっそく実行してみます。
$ vol3 -f memdump.mem windows.pstree.PsTree
Volatility 3 Framework 2.28.0
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime Audit Cmd Path
1132 1068 csrss.exe 0xcf0f57b71140 15 - 0 False 2026-03-26 00:04:03.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\csrss.exe - -
1220 1068 wininit.exe 0xcf0f5d6e1080 2 - 0 False 2026-03-26 00:04:04.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\wininit.exe wininit.exe C:\WINDOWS\system32\wininit.exe
* 1360 1220 LsaIso.exe 0xcf0f5d295080 1 - 0 False 2026-03-26 00:04:04.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\LsaIso.exe - -
* 1380 1220 lsass.exe 0xcf0f5d29c080 11 - 0 False 2026-03-26 00:04:04.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\lsass.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\lsass.exe
* 1308 1220 services.exe 0xcf0f5d291080 6 - 0 False 2026-03-26 00:04:04.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\services.exe C:\WINDOWS\system32\services.exeC:\WINDOWS\system32\services.exe
** 1544 1308 svchost.exe 0xcf0f5d2af080 21 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p C:\WINDOWS\system32\svchost.exe
*** 3488 1544 OpenConsole.ex 0xcf0f8252c080 9 - 6 False 2026-03-29 14:10:04.000000 UTC N/A \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.23.20211.0_x64__8wekyb3d8bbwe\OpenConsole.exe - -
*** 12612 1544 smartscreen.ex 0xcf0f85fc50c0 5 - 6 False 2026-03-29 14:09:52.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\smartscreen.exe C:\Windows\System32\smartscreen.exe -Embedding C:\Windows\System32\smartscreen.exe
*** 18632 1544 CrossDeviceSer 0xcf0f7a1d2080 16 - 6 False 2026-03-29 11:15:12.000000 UTC N/A \Device\HarddiskVolume3\Program Files\WindowsApps\MicrosoftWindows.CrossDevice_1.26012.79.0_x64__cw5n1h2txyewy\CrossDeviceService.exe "C:\Program Files\WindowsApps\MicrosoftWindows.CrossDevice_1.26012.79.0_x64__cw5n1h2txyewy\CrossDeviceService.exe" -RegisterProcessAsComServer -EmbeddingC:\Program Files\WindowsApps\MicrosoftWindows.CrossDevice_1.26012.79.0_x64__cw5n1h2txyewy\CrossDeviceService.exe
*** 5544 1544 Widgets.exe 0xcf0f8a1ed080 2 - 6 False 2026-03-29 11:15:14.000000 UTC N/A \Device\HarddiskVolume3\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_526.1202.40.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_526.1202.40.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe" -ServerName:Microsoft.Windows.DashboardServer C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_526.1202.40.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe
*** 11304 1544 RuntimeBroker. 0xcf0f669a80c0 7 - 6 False 2026-03-29 11:16:44.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe -Embedding C:\Windows\System32\RuntimeBroker.exe
*** 3884 1544 StartMenuExper 0xcf0f6321f080 29 - 6 False 2026-03-29 11:15:14.000000 UTC N/A \Device\HarddiskVolume3\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe "C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:FullTrustApp.AppXykjsye98af63ez2annt9djke8trg8stn.mca C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
*** 18060 1544 WmiPrvSE.exe 0xcf0f6fc6e080 9 - 0 False 2026-03-28 09:05:56.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\wbem\WmiPrvSE.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe
*** 7500 1544 SearchHost.exe 0xcf0f6137e080 25 - 6 False 2026-03-29 11:15:14.000000 UTC N/A \Device\HarddiskVolume3\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe "C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
**** 1428 7500 msedgewebview2 0xcf0f7aee3080 49 - 6 False 2026-03-29 11:15:15.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=SearchHost.exe --webview-exe-version=2126.2002.40.0 --user-data-dir="C:\Users\悠輝\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\EBWebView" --noerrdialogs --disable-features=msSmartScreenProtection --edge-webview-enable-mojo-ipcz --enable-features=msEdgeFluentOverlayScrollbar --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.18.9.23723; 10.0.0.0.26200.8039) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.26200 IsWebView2/True (WebView2Version 146.0.3856.84)" --lang=ja --mojo-named-platform-channel-pipe=7500.25772.8759333237377524966 /pfhostedapp:7763c54215efa47b9067eb346b3a38ecaf22f1cc C:\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe
***** 2400 1428 msedgewebview2 0xcf0f7a4d7080 7 - 6 False 2026-03-29 11:15:16.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\悠輝\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\EBWebView /prefetch:4 /pfhostedapp:7763c54215efa47b9067eb346b3a38ecaf22f1cc --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\悠輝\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=146.0.7680.166 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=146.0.3856.84 --initial-client-data=0x16c,0x170,0x174,0x148,0x17c,0x7fffb9d034d8,0x7fffb9d034e4,0x7fffb9d034f0 C:\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe
***** 24432 1428 msedgewebview2 0xcf0f860ca080 19 - 6 False 2026-03-29 11:15:17.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ja --service-sandbox-type=none --noerrdialogs --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.18.9.23723; 10.0.0.0.26200.8039) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.26200 IsWebView2/True (WebView2Version 146.0.3856.84)" --user-data-dir="C:\Users\悠輝\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\EBWebView" --webview-exe-name=SearchHost.exe --webview-exe-version=2126.2002.40.0 --embedded-browser-webview=1 --always-read-main-dll --metrics-shmem-handle=2344,i,5142361247267058131,13721922064061125147,524288 --field-trial-handle=1936,i,3714759923550228885,17023618714373854101,262144 --enable-features=msEdgeFluentOverlayScrollbar --disable-features=msSmartScreenProtection --variations-seed-version --pseudonymization-salt-handle=1944,i,5004458895128752424,5854315782466134945,4 --trace-process-track-uuid=3190708989122997041 --mojo-platform-channel-handle=2308 /prefetch:11 /pfhostedapp:7763c54215efa47b9067eb346b3a38ecaf22f1cc C:\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe
***** 14388 1428 msedgewebview2 0xcf0f7a52f080 50 - 6 False 2026-03-29 11:15:17.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe - -
***** 22968 1428 msedgewebview2 0xcf0f7a5f4080 10 - 6 False 2026-03-29 11:15:17.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=ja --service-sandbox-type=service --noerrdialogs --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.18.9.23723; 10.0.0.0.26200.8039) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.26200 IsWebView2/True (WebView2Version 146.0.3856.84)" --user-data-dir="C:\Users\悠輝\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\EBWebView" --webview-exe-name=SearchHost.exe --webview-exe-version=2126.2002.40.0 --embedded-browser-webview=1 --always-read-main-dll --metrics-shmem-handle=2484,i,17988720873227099223,14080242336922701233,524288 --field-trial-handle=1936,i,3714759923550228885,17023618714373854101,262144 --enable-features=msEdgeFluentOverlayScrollbar --disable-features=msSmartScreenProtection --variations-seed-version --pseudonymization-salt-handle=1944,i,5004458895128752424,5854315782466134945,4 --trace-process-track-uuid=3190708990060038890 --mojo-platform-channel-handle=2504 /prefetch:13 /pfhostedapp:7763c54215efa47b9067eb346b3a38ecaf22f1cc C:\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.84\msedgewebview2.exe
*** 21452 1544 WindowsTermina 0xcf0f73e44080 32 - 6 False 2026-03-29 14:10:04.000000 UTC N/A \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.23.20211.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.23.20211.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe" -Embedding C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.23.20211.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
*** 14768 1544 RuntimeBroker. 0xcf0f6c6df0c0 2 - 6 False 2026-03-29 11:15:13.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe -Embedding C:\Windows\System32\RuntimeBroker.exe
*** 17240 1544 TextInputHost. 0xcf0f7dcdc080 64 - 6 False 2026-03-29 11:15:20.000000 UTC N/A \Device\HarddiskVolume3\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe "C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
*** 11384 1544 RuntimeBroker. 0xcf0f704870c0 15 - 6 False 2026-03-29 11:15:14.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe -Embedding C:\Windows\System32\RuntimeBroker.exe
*** 15516 1544 explorer.exe 0xcf0f62758080 69 - 6 False 2026-03-29 11:59:13.000000 UTC N/A \Device\HarddiskVolume3\Windows\explorer.exe C:\WINDOWS\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding C:\WINDOWS\explorer.exe
** 4620 1308 svchost.exe 0xcf0f5eaea0c0 5 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService -p -s PhoneSvc C:\WINDOWS\system32\svchost.exe
** 2068 1308 svchost.exe 0xcf0f5db07080 8 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Schedule C:\WINDOWS\system32\svchost.exe
*** 26600 2068 taskhostw.exe 0xcf0f75869080 8 - 6 False 2026-03-29 11:15:12.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\taskhostw.exe taskhostw.exe C:\WINDOWS\system32\taskhostw.exe
*** 19372 2068 taskhostw.exe 0xcf0f781560c0 8 - 6 False 2026-03-29 11:15:11.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} C:\WINDOWS\system32\taskhostw.exe
*** 3140 2068 taskhostw.exe 0xcf0f61c760c0 0 - 0 False 2026-03-26 00:11:15.000000 UTC 2026-03-26 00:11:24.000000 UTC \Device\HarddiskVolume3\Windows\System32\taskhostw.exe --
** 3604 1308 svchost.exe 0xcf0f5e32b080 7 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe - -
*** 23204 3604 ctfmon.exe 0xcf0f86cc50c0 21 - 6 False 2026-03-29 11:15:18.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\ctfmon.exe /QuitInfo:00000000000003D4;0000000000000384; C:\WINDOWS\system32\ctfmon.exe
** 4124 1308 svchost.exe 0xcf0f5e6a7080 2 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc C:\WINDOWS\system32\svchost.exe
** 15904 1308 svchost.exe 0xcf0f62e9c080 5 - 0 False 2026-03-26 00:04:14.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcsRedirectionGuard -p -s lfsvc C:\WINDOWS\system32\svchost.exe
** 23584 1308 svchost.exe 0xcf0f6bff2080 5 - 0 False 2026-03-27 06:24:47.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost C:\WINDOWS\System32\svchost.exe
** 16932 1308 svchost.exe 0xcf0f6cf3f080 2 - 0 False 2026-03-27 00:08:49.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k WuqiSvcGroup -p -s wuqisvc C:\WINDOWS\system32\svchost.exe
** 3116 1308 svchost.exe 0xcf0f5ddbc080 3 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k NetSvcs -s nvagent C:\WINDOWS\system32\svchost.exe
** 3144 1308 NVDisplay.Cont 0xcf0f5dd95080 34 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_7840b4313191ae17\Display.NvContainer\NVDisplay.Container.exe C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_7840b4313191ae17\Display.NvContainer\NVDisplay.Container.exe -s NVDisplay.ContainerLocalSystem -f C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log -l 3 -d C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_7840b4313191ae17\Display.NvContainer\plugins\LocalSystem -r -p 30000 -cfg NVDisplay.ContainerLocalSystem\LocalSystem /ert C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_7840b4313191ae17\Display.NvContainer\NVDisplay.Container.exe
*** 26532 3144 NVDisplay.Cont 0xcf0f6b2fb080 32 - 6 False 2026-03-29 07:58:52.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_7840b4313191ae17\Display.NvContainer\NVDisplay.Container.exe - -
** 8776 1308 svchost.exe 0xcf0f5fa6d080 4 - 0 False 2026-03-26 00:04:09.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Appinfo C:\WINDOWS\system32\svchost.exe
** 10324 1308 svchost.exe 0xcf0f6077a080 12 - 0 False 2026-03-26 00:04:09.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc C:\WINDOWS\system32\svchost.exe
** 2136 1308 svchost.exe 0xcf0f5db0e080 8 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s hidserv C:\WINDOWS\system32\svchost.exe
** 2152 1308 svchost.exe 0xcf0f5db1f080 4 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k UserProfileService -p -s ProfSvc C:\WINDOWS\system32\svchost.exe
** 4716 1308 svchost.exe 0xcf0f5eb3f080 4 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation C:\WINDOWS\System32\svchost.exe
** 11888 1308 svchost.exe 0xcf0f61147080 12 - 0 False 2026-03-26 00:04:10.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService C:\WINDOWS\system32\svchost.exe
** 5744 1308 MidiSrv.exe 0xcf0f602be080 2 - 0 False 2026-03-26 00:30:10.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\MidiSrv.exe - -
** 10352 1308 svchost.exe 0xcf0f693a9080 5 - 0 False 2026-03-26 06:28:58.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SensorService C:\WINDOWS\system32\svchost.exe
** 1652 1308 WUDFHost.exe 0xcf0f5d84d0c0 8 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\WUDFHost.exe "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-02fe0323-3486-4d4d-bd54-6a656e504162 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-0940e1d3-9711-4ff3-9c74-185ec5f899c9 -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-1daaa6a8-efce-4a8c-a1a9-c3aebd5b1d5e -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-023ef68b-2060-4228-beed-e266a739ca4b -LifetimeId:f84e0368-af32-4a70-9cca-a4783f726d16 -DeviceGroupId: -HostArg:0 C:\Windows\System32\WUDFHost.exe
** 3192 1308 svchost.exe 0xcf0f5e038080 15 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p C:\WINDOWS\system32\svchost.exe
** 2680 1308 svchost.exe 0xcf0f5dfaa080 11 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k NetworkService -p C:\WINDOWS\system32\svchost.exe
** 9856 1308 svchost.exe 0xcf0f5f8b6080 6 - 0 False 2026-03-26 00:04:09.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc C:\WINDOWS\System32\svchost.exe
** 3208 1308 svchost.exe 0xcf0f5dd64080 9 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog C:\WINDOWS\System32\svchost.exe
** 16524 1308 NisSrv.exe 0xcf0f6335a080 14 - 0 False 2026-03-26 00:14:38.000000 UTC N/A \Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.26020.6-0\NisSrv.exe "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26020.6-0\NisSrv.exe" C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26020.6-0\NisSrv.exe
** 2192 1308 svchost.exe 0xcf0f7f4130c0 4 - 6 False 2026-03-29 11:15:11.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService C:\WINDOWS\system32\svchost.exe
** 8852 1308 svchost.exe 0xcf0f5fa5c080 7 - 0 False 2026-03-26 00:04:09.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s TokenBroker C:\WINDOWS\system32\svchost.exe
** 23188 1308 svchost.exe 0xcf0f76b38080 5 - 0 False 2026-03-27 09:17:50.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s NetSetupSvc C:\WINDOWS\System32\svchost.exe
** 2716 1308 WMIRegistratio 0xcf0f5ec07080 2 - 0 True 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\DriverStore\FileRepository\mewmiprov.inf_amd64_d51901c26227fb29\WMIRegistrationService.exe - -
*** 9156 2716 mofcomp.exe 0xcf0f5f5d5080 0 - 0 True 2026-03-26 00:04:08.000000 UTC 2026-03-26 00:04:09.000000 UTC \Device\HarddiskVolume3\Windows\SysWOW64\wbem\mofcomp.exe- -
*** 8772 2716 mofcomp.exe 0xcf0f5ee03080 0 - 0 True 2026-03-26 00:04:09.000000 UTC 2026-03-26 00:04:09.000000 UTC \Device\HarddiskVolume3\Windows\SysWOW64\wbem\mofcomp.exe- -
** 18076 1308 svchost.exe 0xcf0f74360080 17 - 0 False 2026-03-29 12:38:14.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BITS C:\WINDOWS\System32\svchost.exe
** 1700 1308 svchost.exe 0xcf0f5daec0c0 3 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService C:\WINDOWS\System32\svchost.exe
** 10920 1308 svchost.exe 0xcf0f60b1a080 11 - 0 False 2026-03-26 00:04:10.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs -p C:\WINDOWS\System32\svchost.exe
** 26284 1308 svchost.exe 0xcf0f867c6080 3 - 0 False 2026-03-29 00:35:46.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc C:\WINDOWS\system32\svchost.exe
** 1716 1308 svchost.exe 0xcf0f5d6cd180 16 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k RPCSS -p C:\WINDOWS\system32\svchost.exe
** 2228 1308 svchost.exe 0xcf0f5db63080 5 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService -p -s nsi C:\WINDOWS\system32\svchost.exe
** 14516 1308 svchost.exe 0xcf0f63663080 7 - 6 False 2026-03-29 11:17:11.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup C:\WINDOWS\system32\svchost.exe
** 3264 1308 svchost.exe 0xcf0f5dd97080 4 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain C:\WINDOWS\system32\svchost.exe
** 3272 1308 svchost.exe 0xcf0f5dd9a080 4 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s Themes C:\WINDOWS\System32\svchost.exe
** 3280 1308 svchost.exe 0xcf0f5e03a080 5 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalServiceRedirectionGuard -p -s EventSystem C:\WINDOWS\system32\svchost.exe
** 1756 1308 svchost.exe 0xcf0f5d94e080 5 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSM C:\WINDOWS\system32\svchost.exe
** 2788 1308 svchost.exe 0xcf0f62640080 8 - 0 False 2026-03-26 00:06:09.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s UsoSvc C:\WINDOWS\system32\svchost.exe
** 16612 1308 MpDefenderCore 0xcf0f62d47080 7 - 0 False 2026-03-26 00:14:32.000000 UTC N/A \Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.26020.6-0\MpDefenderCoreService.exe "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26020.6-0\MpDefenderCoreService.exe" C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26020.6-0\MpDefenderCoreService.exe
** 11496 1308 svchost.exe 0xcf0f636e0080 19 - 0 False 2026-03-26 00:06:09.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k whesvc -p -s whesvc C:\WINDOWS\system32\svchost.exe
** 3824 1308 svchost.exe 0xcf0f5e4e6080 15 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k appmodel -p -s StateRepository C:\WINDOWS\system32\svchost.exe
** 19696 1308 OfficeClickToR 0xcf0f7ed130c0 17 - 0 False 2026-03-29 11:24:32.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
*** 5816 19696 AppVShNotify.e 0xcf0f85ed9080 1 - 6 False 2026-03-29 11:24:53.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe
** 4352 1308 svchost.exe 0xcf0f5e7d4080 11 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k WebThreatDefense -p -s webthreatdefsvc C:\WINDOWS\system32\svchost.exe
** 11016 1308 svchost.exe 0xcf0f60bc4080 2 - 0 False 2026-03-26 00:04:10.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p C:\WINDOWS\System32\svchost.exe
** 2312 1308 SecurityHealth 0xcf0f63358080 12 - 0 False 2026-03-26 00:04:18.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\SecurityHealthService.exe C:\WINDOWS\system32\SecurityHealthService.exe C:\WINDOWS\system32\SecurityHealthService.exe
** 14600 1308 svchost.exe 0xcf0f5f8e4080 8 - 0 False 2026-03-26 00:06:09.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc C:\WINDOWS\System32\svchost.exe
** 4876 1308 svchost.exe 0xcf0f5eb8a080 7 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k apphost -s AppHostSvc C:\WINDOWS\system32\svchost.exe
** 1808 1308 svchost.exe 0xcf0f5daf2080 3 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc C:\WINDOWS\system32\svchost.exe
** 3856 1308 svchost.exe 0xcf0f5e54b080 4 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Wcmsvc C:\WINDOWS\system32\svchost.exe
** 4884 1308 svchost.exe 0xcf0f5eb87080 12 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k utcsvc -p C:\WINDOWS\System32\svchost.exe
*** 8800 4884 AggregatorHost 0xcf0f5f893080 4 - 0 False 2026-03-26 00:04:09.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\AggregatorHost.exe AggregatorHost.exe C:\WINDOWS\System32\AggregatorHost.exe
** 3864 1308 svchost.exe 0xcf0f5e51d080 4 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s DusmSvc C:\WINDOWS\System32\svchost.exe
** 24856 1308 svchost.exe 0xcf0f7e82e080 3 - 6 False 2026-03-29 11:15:14.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc C:\WINDOWS\system32\svchost.exe
** 2332 1308 svchost.exe 0xcf0f5db7b080 8 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s UserManager C:\WINDOWS\system32\svchost.exe
*** 21556 2332 sihost.exe 0xcf0f860c50c0 13 - 6 False 2026-03-29 11:15:11.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\sihost.exe sihost.exe C:\WINDOWS\system32\sihost.exe
**** 13916 21556 ShellHost.exe 0xcf0f7fac5080 17 - 6 False 2026-03-29 11:15:11.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\ShellHost.exe "C:\Windows\System32\ShellHost.exe" C:\Windows\System32\ShellHost.exe
**** 21068 21556 CrossDeviceRes 0xcf0f7ebae080 16 - 6 False 2026-03-29 11:15:11.000000 UTC N/A \Device\HarddiskVolume3\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\CrossDeviceResume.exe "C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\CrossDeviceResume.exe" /tileid MicrosoftWindows.Client.CBS_cw5n1h2txyewy!CrossDeviceResumeApp C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\CrossDeviceResume.exe
** 4892 1308 svchost.exe 0xcf0f5eb230c0 2 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService C:\WINDOWS\system32\svchost.exe
*** 6264 4892 dasHost.exe 0xcf0f60003080 4 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\dasHost.exe dashost.exe {ed11ad81-9b55-4102-a606db859d247496} C:\WINDOWS\system32\dashost.exe
** 17692 1308 svchost.exe 0xcf0f62775080 5 - 6 False 2026-03-29 11:16:33.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService -p -s NPSMSvc C:\WINDOWS\system32\svchost.exe
(中略)
*** 6264 4892 dasHost.exe 0xcf0f60003080 4 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\dasHost.exe dashost.exe {ed11ad81-9b55-4102-a606db859d247496} C:\WINDOWS\system32\dashost.exe
** 17692 1308 svchost.exe 0xcf0f62775080 5 - 6 False 2026-03-29 11:16:33.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService -p -s NPSMSvc C:\WINDOWS\system32\svchost.exe
** 3872 1308 vpnagent.exe 0xcf0f5e522080 8 - 0 True 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe --
** 2340 1308 svchost.exe 0xcf0f5db7f080 9 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k netprofm -p -s netprofm C:\WINDOWS\System32\svchost.exe
** 4900 1308 GameInputRedis 0xcf0f5eb27080 10 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Microsoft GameInput\x64\GameInputRedistService.exe"C:\Program Files\Microsoft GameInput\x64\GameInputRedistService.exe" C:\Program Files\Microsoft GameInput\x64\GameInputRedistService.exe
*** 21108 4900 GameInputRedis 0xcf0f61384080 2 - 6 False 2026-03-29 11:15:10.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Microsoft GameInput\x64\GameInputRedistService.exe "C:\Program Files\Microsoft GameInput\x64\GameInputRedistService.exe" /session=\\.\pipe\GameInputServiceSession-002facbe217bd60d-00000006 C:\Program Files\Microsoft GameInput\x64\GameInputRedistService.exe
** 4912 1308 GooglePlayGame 0xcf0f5dd3b080 95 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games Services\26.3.490.0\Service\GooglePlayGamesServices.exe "C:\Program Files\Google\Play Games Services\26.3.490.0\Service\GooglePlayGamesServices.exe" C:\Program Files\Google\Play Games Services\26.3.490.0\Service\GooglePlayGamesServices.exe
*** 7812 4912 crashpad_handl 0xcf0f5f570140 6 - 0 False 2026-03-26 00:04:07.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games Services\26.3.490.0\Service\data\windows.assets\crashpad_handler.exe - -
** 10036 1308 svchost.exe 0xcf0f5f8cb080 2 - 0 False 2026-03-26 00:04:09.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall C:\WINDOWS\system32\svchost.exe
** 4920 1308 svchost.exe 0xcf0f5dd51080 17 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS C:\WINDOWS\System32\svchost.exe
** 9532 1308 svchost.exe 0xcf0f5f9d6080 9 - 0 False 2026-03-26 00:04:09.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService -p -s CDPSvc C:\WINDOWS\system32\svchost.exe
** 4932 1308 TbtP2pShortcut 0xcf0f5ec220c0 3 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\TbtP2pShortcutService.exe - -
** 6980 1308 svchost.exe 0xcf0f5c0fd080 7 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s LanmanServer C:\WINDOWS\system32\svchost.exe
** 4940 1308 svchost.exe 0xcf0f5eb32080 28 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k iissvcs C:\WINDOWS\system32\svchost.exe
** 4948 1308 sesinetd.exe 0xcf0f5eb29080 9 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Side Effects Software\License Server\sesinetd.exe "C:\Program Files\Side Effects Software\License Server\sesinetd.exe" C:\Program Files\Side Effects Software\License Server\sesinetd.exe
** 16724 1308 svchost.exe 0xcf0f626f3080 5 - 0 False 2026-03-26 00:04:55.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k InvSvcGroup -p -s InventorySvc C:\WINDOWS\system32\svchost.exe
** 26452 1308 svchost.exe 0xcf0f7eba00c0 29 - 0 False 2026-03-29 13:24:27.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc C:\WINDOWS\system32\svchost.exe
** 16728 1308 MsMpEng.exe 0xcf0f655940c0 71 - 0 False 2026-03-26 00:14:32.000000 UTC N/A \Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.26020.6-0\MsMpEng.exe "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26020.6-0\MsMpEng.exe" C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26020.6-0\MsMpEng.exe
** 3420 1308 svchost.exe 0xcf0f5e1e9080 3 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe - -
** 4956 1308 svchost.exe 0xcf0f5ec26080 1 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService -p -s SstpSvc C:\WINDOWS\system32\svchost.exe
** 9056 1308 svchost.exe 0xcf0f5e519080 5 - 0 False 2026-03-26 00:04:08.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k osprivacy -p -s camsvc C:\WINDOWS\system32\svchost.exe
** 16736 1308 vmcompute.exe 0xcf0f6856a080 4 - 0 False 2026-03-26 05:18:14.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\vmcompute.exe C:\WINDOWS\system32\vmcompute.exe C:\WINDOWS\system32\vmcompute.exe
*** 8156 16736 vmwp.exe 0xcf0f64a07080 0 - 0 False 2026-03-26 05:18:14.000000 UTC 2026-03-26 05:19:32.000000 UTC \Device\HarddiskVolume3\Windows\System32\vmwp.exe --
** 4964 1308 svchost.exe 0xcf0f5eb2f080 6 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k NetSvcs -p -s iphlpsvc C:\WINDOWS\System32\svchost.exe
** 4972 1308 RtkAudUService 0xcf0f5ec430c0 14 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_fdd83e4dd87bcfa1\RtkAudUService64.exe - -
** 20332 1308 svchost.exe 0xcf0f6efe5080 6 - 0 False 2026-03-26 06:59:49.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe - -
** 2932 1308 svchost.exe 0xcf0f5dde6080 6 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp C:\WINDOWS\system32\svchost.exe
** 3448 1308 svchost.exe 0xcf0f5e2430c0 3 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder C:\WINDOWS\System32\svchost.exe
** 4988 1308 jhi_service.ex 0xcf0f5ec4a080 2 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_af50fdb80983f7bc\jhi_service.exe C:\WINDOWS\System32\DriverStore\FileRepository\dal.inf_amd64_af50fdb80983f7bc\jhi_service.exe C:\WINDOWS\System32\DriverStore\FileRepository\dal.inf_amd64_af50fdb80983f7bc\jhi_service.exe
** 3456 1308 svchost.exe 0xcf0f5e249080 8 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService -p -s FontCache C:\WINDOWS\system32\svchost.exe
** 4996 1308 svchost.exe 0xcf0f5ec4d080 5 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\svchost.exe
** 19336 1308 SearchIndexer. 0xcf0f6ca68080 15 - 0 False 2026-03-29 11:25:35.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\SearchIndexer.exe C:\WINDOWS\system32\SearchIndexer.exe /Embedding C:\WINDOWS\system32\SearchIndexer.exe
** 5004 1308 RstMwService.e 0xcf0f5ec52080 6 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\DriverStore\FileRepository\iaahcic.inf_amd64_186a3f5e688b24d7\RstMwService.exe C:\WINDOWS\System32\DriverStore\FileRepository\iaahcic.inf_amd64_186a3f5e688b24d7\RstMwService.exe C:\WINDOWS\System32\DriverStore\FileRepository\iaahcic.inf_amd64_186a3f5e688b24d7\RstMwService.exe
** 1420 1308 svchost.exe 0xcf0f7d8b70c0 14 - 6 False 2026-03-29 11:15:11.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc C:\WINDOWS\system32\svchost.exe
** 8080 1308 svchost.exe 0xcf0f5fbec080 9 - 0 False 2026-03-26 00:04:07.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV C:\WINDOWS\system32\svchost.exe
** 1940 1308 svchost.exe 0xcf0f5da56080 1 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s HvHost C:\WINDOWS\system32\svchost.exe
** 4500 1308 svchost.exe 0xcf0f5ddeb080 5 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s ShellHWDetection C:\WINDOWS\System32\svchost.exe
** 5012 1308 VSSrv.exe 0xcf0f5ec540c0 5 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\VSSrv.exe - -
*** 14380 5012 VSHelper.exe 0xcf0f750430c0 2 - 6 False 2026-03-29 11:15:11.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\VSHelper.exe "C:\WINDOWS\system32\VSHelper.exe" C:\WINDOWS\system32\VSHelper.exe
** 21400 1308 svchost.exe 0xcf0f70ab6080 5 - 0 False 2026-03-26 06:28:58.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe - -
** 5020 1308 svchost.exe 0xcf0f5ec45080 6 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s WpnService C:\WINDOWS\system32\svchost.exe
** 17308 1308 svchost.exe 0xcf0f6da8a080 5 - 0 False 2026-03-26 06:06:17.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalService -p -s WdiServiceHost C:\WINDOWS\System32\svchost.exe
** 1956 1308 svchost.exe 0xcf0f5da52080 4 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts C:\WINDOWS\System32\svchost.exe
** 5028 1308 svchost.exe 0xcf0f5ec55080 12 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Winmgmt C:\WINDOWS\system32\svchost.exe
** 2472 1308 svchost.exe 0xcf0f63cdf080 4 - 0 False 2026-03-26 00:05:22.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalService -p -s LicenseManager C:\WINDOWS\System32\svchost.exe
** 2476 1308 svchost.exe 0xcf0f5dc3d080 3 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork -p C:\WINDOWS\system32\svchost.exe
** 5036 1308 nvcontainer.ex 0xcf0f5ec2e080 29 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe --
*** 17920 5036 rundll32.exe 0xcf0f74203080 0 - 2 False 2026-03-27 00:02:43.000000 UTC 2026-03-27 00:02:43.000000 UTC \Device\HarddiskVolume3\Windows\System32\rundll32.exe --
*** 1252 5036 rundll32.exe 0xcf0f762230c0 0 - 3 False 2026-03-27 08:00:31.000000 UTC 2026-03-27 08:00:32.000000 UTC \Device\HarddiskVolume3\Windows\System32\rundll32.exe --
*** 10856 5036 nvcontainer.ex 0xcf0f85edf080 21 - 6 False 2026-03-29 07:58:52.000000 UTC N/A \Device\HarddiskVolume3\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe "C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe" -f "C:\ProgramData\NVIDIA Corporation\NVIDIA App\NvContainer\NvContainerSession%d.log" -d "C:\Program Files\NVIDIA Corporation\NvContainer\plugins\Session" -r -l 3 -p 30000 -ert -c C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
*** 11212 5036 rundll32.exe 0xcf0f60b18080 0 - 1 False 2026-03-26 00:04:10.000000 UTC 2026-03-26 00:04:10.000000 UTC \Device\HarddiskVolume3\Windows\System32\rundll32.exe --
*** 1140 5036 rundll32.exe 0xcf0f6f1b5080 0 - 4 False 2026-03-28 08:46:50.000000 UTC 2026-03-28 08:46:51.000000 UTC \Device\HarddiskVolume3\Windows\System32\rundll32.exe --
*** 15508 5036 rundll32.exe 0xcf0f64ba60c0 0 - 6 False 2026-03-29 11:15:11.000000 UTC 2026-03-29 11:15:11.000000 UTC \Device\HarddiskVolume3\Windows\System32\rundll32.exe --
*** 16376 5036 rundll32.exe 0xcf0f70b4b180 0 - 5 False 2026-03-29 00:35:46.000000 UTC 2026-03-29 00:35:46.000000 UTC \Device\HarddiskVolume3\Windows\System32\rundll32.exe --
** 5044 1308 svchost.exe 0xcf0f5ec5b080 3 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks C:\WINDOWS\System32\svchost.exe
** 9140 1308 gamingservices 0xcf0f5f573080 38 - 0 False 2026-03-26 00:04:08.000000 UTC N/A \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.GamingServices_34.111.20001.0_x64__8wekyb3d8bbwe\gamingservicesnet.exe - -
** 11188 1308 svchost.exe 0xcf0f5e831080 4 - 0 False 2026-03-26 00:04:10.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc C:\WINDOWS\system32\svchost.exe
*** 11248 11188 NgcIso.exe 0xcf0f60c870c0 1 - 0 False 2026-03-26 00:04:10.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\NgcIso.exe \??\C:\WINDOWS\System32\NgcIso.exe \??\C:\WINDOWS\System32\NgcIso.exe
** 9148 1308 gamingservices 0xcf0f5f572080 26 - 0 False 2026-03-26 00:04:08.000000 UTC N/A \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.GamingServices_34.111.20001.0_x64__8wekyb3d8bbwe\gamingservices.exe "C:\Program Files\WindowsApps\Microsoft.GamingServices_34.111.20001.0_x64__8wekyb3d8bbwe\GamingServices.exe" C:\Program Files\WindowsApps\Microsoft.GamingServices_34.111.20001.0_x64__8wekyb3d8bbwe\GamingServices.exe
** 18880 1308 svchost.exe 0xcf0f78ce70c0 3 - 6 False 2026-03-29 11:15:11.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s webthreatdefusersvc C:\WINDOWS\system32\svchost.exe
** 3020 1308 svchost.exe 0xcf0f5dd31080 4 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalServiceHttp -p C:\WINDOWS\system32\svchost.exe
** 9164 1308 svchost.exe 0xcf0f5f5be080 2 - 0 False 2026-03-26 00:04:08.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k WSAIFabricSvcGroup -p -s WSAIFabricSvc C:\WINDOWS\system32\svchost.exe
** 5072 1308 wslservice.exe 0xcf0f5ec09080 12 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Program Files\WSL\wslservice.exe "C:\Program Files\WSL\wslservice.exe" C:\Program Files\WSL\wslservice.exe
** 3028 1308 svchost.exe 0xcf0f5dd500c0 7 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k NetSvcs -p -s HNS C:\WINDOWS\system32\svchost.exe
** 19924 1308 svchost.exe 0xcf0f721020c0 7 - 0 False 2026-03-26 05:18:55.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService -p -s WebClient C:\WINDOWS\system32\svchost.exe
** 11732 1308 WUDFHost.exe 0xcf0f7b08e080 7 - 0 False 2026-03-29 11:59:13.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\WUDFHost.exe "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-732ea4e3-c26f-49de-aed2-48247fa1b2f2 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-1abfb265-d295-4a72-9f5d-f9ad375338e9 -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-0af52826-a526-4258-8464-eea90a89ebd4 -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-217a00d6-57fa-4747-9a5b-8e1ab495a99f -LifetimeId:233e4181-9607-492b-a1c9-e8831e5b6ded -DeviceGroupId:WpdFsGroup -HostArg:0 C:\Windows\System32\WUDFHost.exe
** 3544 1308 svchost.exe 0xcf0f5e0c60c0 4 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe - -
** 18396 1308 svchost.exe 0xcf0f764ab080 5 - 6 False 2026-03-29 11:15:13.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc C:\WINDOWS\system32\svchost.exe
** 3552 1308 svchost.exe 0xcf0f5e2b4080 11 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p C:\WINDOWS\System32\svchost.exe
*** 11128 3552 audiodg.exe 0xcf0f66648080 7 - 0 False 2026-03-29 00:35:45.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\audiodg.exe C:\WINDOWS\system32\AUDIODG.EXE 0x000000000000060C C:\WINDOWS\system32\AUDIODG.EXE
** 4584 1308 spoolsv.exe 0xcf0f573590c0 7 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\spoolsv.exe C:\WINDOWS\System32\spoolsv.exe C:\WINDOWS\System32\spoolsv.exe
** 5100 1308 svchost.exe 0xcf0f5c217080 12 - 0 False 2026-03-26 00:04:06.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\System32\svchost.exe
** 2548 1308 svchost.exe 0xcf0f5dee4080 8 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\svchost.exe C:\WINDOWS\system32\svchost.exe -k NetworkService -p C:\WINDOWS\system32\svchost.exe
* 1576 1220 fontdrvhost.ex 0xcf0f5d25e080 5 - 0 False 2026-03-26 00:04:05.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\fontdrvhost.exe - -
1228 1212 csrss.exe 0xcf0f5d5c6140 0 - 1 False 2026-03-26 00:04:04.000000 UTC 2026-03-26 15:58:29.000000 UTC \Device\HarddiskVolume3\Windows\System32\csrss.exe - -
1852 1336 dwm.exe 0xcf0f5d9ea0c0 0 - 1 False 2026-03-26 00:04:05.000000 UTC 2026-03-26 15:58:28.000000 UTC \Device\HarddiskVolume3\Windows\System32\dwm.exe - -
15944 11300 msedgewebview2 0xcf0f6a49f080 0 - 1 False 2026-03-26 04:21:12.000000 UTC 2026-03-26 15:58:26.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
17716 11300 msedgewebview2 0xcf0f6a49c080 0 - 1 False 2026-03-26 04:21:12.000000 UTC 2026-03-26 15:58:26.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
14240 11300 msedgewebview2 0xcf0f6dc7f080 0 - 1 False 2026-03-26 04:21:12.000000 UTC 2026-03-26 15:58:26.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
18248 11300 msedgewebview2 0xcf0f6e383080 0 - 1 False 2026-03-26 04:21:12.000000 UTC 2026-03-26 15:58:26.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
13924 11300 msedgewebview2 0xcf0f6e3cd080 0 - 1 False 2026-03-26 04:21:12.000000 UTC 2026-03-26 15:58:26.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
6272 19580 OverwolfBrowse 0xcf0f7447e080 0 - 1 False 2026-03-26 08:17:01.000000 UTC 2026-03-26 15:58:26.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Overwolf\0.294.3.2\OverwolfBrowser.exe - -
17868 24132 Discord.exe 0xcf0f7712c080 0 - 2 False 2026-03-27 02:17:08.000000 UTC 2026-03-27 07:21:59.000000 UTC \Device\HarddiskVolume3\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe - -
5268 5860 msedgewebview2 0xcf0f6840b080 0 - 2 False 2026-03-27 04:57:14.000000 UTC 2026-03-27 07:21:59.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
8252 5860 msedgewebview2 0xcf0f74758080 0 - 2 False 2026-03-27 04:57:14.000000 UTC 2026-03-27 07:21:59.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
19232 5860 msedgewebview2 0xcf0f70c4e080 0 - 2 False 2026-03-27 04:57:14.000000 UTC 2026-03-27 07:21:59.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
23088 5860 msedgewebview2 0xcf0f69b3b080 0 - 2 False 2026-03-27 04:57:14.000000 UTC 2026-03-27 07:21:59.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
14936 5860 msedgewebview2 0xcf0f7547e080 0 - 2 False 2026-03-27 04:57:14.000000 UTC 2026-03-27 07:21:59.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
21324 20400 OverwolfBrowse 0xcf0f666760c0 0 - 2 False 2026-03-27 05:03:33.000000 UTC 2026-03-27 07:21:59.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Overwolf\0.296.0.23\OverwolfBrowser.exe - -
10900 5852 Minecraft.exe 0xcf0f71b73080 0 - 2 False 2026-03-27 05:30:39.000000 UTC 2026-03-27 05:39:02.000000 UTC \Device\HarddiskVolume3\XboxGames\Minecraft Launcher\Content\Minecraft.exe - -
* 14820 10900 Minecraft.exe 0xcf0f6a3cd0c0 0 - 2 False 2026-03-27 05:30:45.000000 UTC 2026-03-27 05:39:02.000000 UTC \Device\HarddiskVolume3\XboxGames\Minecraft Launcher\Content\Minecraft.exe - -
* 10980 10900 Minecraft.exe 0xcf0f6a011080 0 - 2 False 2026-03-27 05:30:45.000000 UTC 2026-03-27 05:39:02.000000 UTC \Device\HarddiskVolume3\XboxGames\Minecraft Launcher\Content\Minecraft.exe - -
* 16808 10900 Minecraft.exe 0xcf0f64ea70c0 0 - 2 False 2026-03-27 05:30:45.000000 UTC 2026-03-27 05:39:02.000000 UTC \Device\HarddiskVolume3\XboxGames\Minecraft Launcher\Content\Minecraft.exe - -
* 8908 10900 Minecraft.exe 0xcf0f69e38080 0 - 2 False 2026-03-27 05:30:45.000000 UTC 2026-03-27 05:39:02.000000 UTC \Device\HarddiskVolume3\XboxGames\Minecraft Launcher\Content\Minecraft.exe - -
* 18348 10900 Minecraft.exe 0xcf0f6a5f6080 0 - 2 False 2026-03-27 05:30:45.000000 UTC 2026-03-27 05:39:02.000000 UTC \Device\HarddiskVolume3\XboxGames\Minecraft Launcher\Content\Minecraft.exe - -
* 18996 10900 Minecraft.exe 0xcf0f7d722080 0 - 2 False 2026-03-27 05:32:45.000000 UTC 2026-03-27 05:32:46.000000 UTC \Device\HarddiskVolume3\XboxGames\Minecraft Launcher\Content\Minecraft.exe - -
11012 23296 CurseForge.exe 0xcf0f73ff0080 0 - 2 False 2026-03-27 05:33:30.000000 UTC 2026-03-27 07:21:59.000000 UTC \Device\HarddiskVolume3\Users\悠輝\AppData\Local\Programs\CurseForge Windows\CurseForge.exe - -
21932 23296 CurseForge.exe 0xcf0f7dbee080 0 - 2 False 2026-03-27 05:33:31.000000 UTC 2026-03-27 07:21:59.000000 UTC \Device\HarddiskVolume3\Users\悠輝\AppData\Local\Programs\CurseForge Windows\CurseForge.exe - -
22676 23296 CurseForge.exe 0xcf0f77630080 0 - 2 False 2026-03-27 05:33:31.000000 UTC 2026-03-27 07:21:59.000000 UTC \Device\HarddiskVolume3\Users\悠輝\AppData\Local\Programs\CurseForge Windows\CurseForge.exe - -
15792 14720 msedgewebview2 0xcf0f688c50c0 0 - 3 False 2026-03-27 09:23:03.000000 UTC 2026-03-27 16:15:33.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
22868 14720 msedgewebview2 0xcf0f77c98080 0 - 3 False 2026-03-27 09:23:03.000000 UTC 2026-03-27 16:15:33.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
23984 14720 msedgewebview2 0xcf0f6d93e080 0 - 3 False 2026-03-27 09:23:03.000000 UTC 2026-03-27 16:15:33.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
23540 14720 msedgewebview2 0xcf0f6b225080 0 - 3 False 2026-03-27 09:23:03.000000 UTC 2026-03-27 16:15:33.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
12068 14720 msedgewebview2 0xcf0f613a2080 0 - 3 False 2026-03-27 09:23:03.000000 UTC 2026-03-27 16:15:33.000000 UTC \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeWebView\Application\146.0.3856.72\msedgewebview2.exe - -
8840 12708 Discord.exe 0xcf0f7ea56080 0 - 3 False 2026-03-27 09:46:42.000000 UTC 2026-03-27 16:15:33.000000 UTC \Device\HarddiskVolume3\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe - -
10516 14612 CurseForge.exe 0xcf0f627540c0 0 - 3 False 2026-03-27 16:13:16.000000 UTC 2026-03-27 16:15:33.000000 UTC \Device\HarddiskVolume3\Users\悠輝\AppData\Local\Programs\CurseForge Windows\CurseForge.exe - -
25852 14612 CurseForge.exe 0xcf0f89be0080 0 - 3 False 2026-03-27 16:13:18.000000 UTC 2026-03-27 16:15:33.000000 UTC \Device\HarddiskVolume3\Users\悠輝\AppData\Local\Programs\CurseForge Windows\CurseForge.exe - -
2840 14612 CurseForge.exe 0xcf0f853ec080 0 - 3 False 2026-03-27 16:13:18.000000 UTC 2026-03-27 16:15:33.000000 UTC \Device\HarddiskVolume3\Users\悠輝\AppData\Local\Programs\CurseForge Windows\CurseForge.exe - -
22984 15520 Discord.exe 0xcf0f7be23080 0 - 4 False 2026-03-28 08:47:09.000000 UTC 2026-03-28 15:26:07.000000 UTC \Device\HarddiskVolume3\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe - -
11696 18700 Riot Client.ex 0xcf0f7d5e70c0 0 - 5 False 2026-03-29 02:56:10.000000 UTC 2026-03-29 02:56:19.000000 UTC \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientElectron\Riot Client.exe - -
2276 21564 Riot Client.ex 0xcf0f7e231080 0 - 5 False 2026-03-29 03:01:10.000000 UTC 2026-03-29 03:03:54.000000 UTC \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientElectron\Riot Client.exe - -
26224 4136 csrss.exe 0xcf0f7fec8080 16 - 6 False 2026-03-29 07:58:46.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\csrss.exe - -
19484 4136 winlogon.exe 0xcf0f78df3080 4 - 6 False 2026-03-29 07:58:46.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\winlogon.exe C:\WINDOWS\System32\WinLogon.exe -SpecialSession C:\WINDOWS\System32\WinLogon.exe
* 6856 19484 fontdrvhost.ex 0xcf0f62d6e080 5 - 6 False 2026-03-29 07:58:47.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\fontdrvhost.exe "fontdrvhost.exe" C:\WINDOWS\System32\fontdrvhost.exe
* 8952 19484 userinit.exe 0xcf0f813eb080 0 - 6 False 2026-03-29 11:15:11.000000 UTC 2026-03-29 11:15:35.000000 UTC \Device\HarddiskVolume3\Windows\System32\userinit.exe - -
** 16976 8952 explorer.exe 0xcf0f7e0260c0 149 - 6 False 2026-03-29 11:15:11.000000 UTC N/A \Device\HarddiskVolume3\Windows\explorer.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\Explorer.EXE
*** 20552 16976 CurseForge.exe 0xcf0f748e7080 45 - 6 False 2026-03-29 11:15:28.000000 UTC N/A - "C:\Users\悠輝\AppData\Local\Programs\CurseForge Windows\CurseForge.exe" --minimized C:\Users\悠輝\AppData\Local\Programs\CurseForge Windows\CurseForge.exe
***** 13524 13272 conhost.exe 0xcf0f69e54080 2 - 6 False 2026-03-29 11:15:35.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\conhost.exe \??\C:\WINDOWS\system32\conhost.exe 0x4 C:\WINDOWS\system32\conhost.exe
**** 21144 20552 CurseForge.exe 0xcf0f878d4080 18 - 6 False 2026-03-29 11:15:29.000000 UTC N/A \Device\HarddiskVolume3\Users\悠輝\AppData\Local\Programs\CurseForge Windows\CurseForge.exe - -
*** 13832 16976 msedge.exe 0xcf0f6c45a080 62 - 6 False 2026-03-29 11:15:43.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
**** 15776 13832 msedge.exe 0xcf0f6665f080 10 - 6 False 2026-03-29 11:16:30.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=ja --service-sandbox-type=none --skip-read-main-dll --metrics-shmem-handle=9056,i,13317113161741276049,17607072925576236139,524288 --field-trial-handle=2416,i,10090542469194116029,14277677499041878799,262144 --variations-seed-version --pseudonymization-salt-handle=2420,i,5677195297526739616,3531604635189780866,4 --trace-process-track-uuid=3190709011612001417 --mojo-platform-channel-handle=4912 /prefetch:14 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
**** 23648 13832 identity_helpe 0xcf0f766680c0 0 - 6 False 2026-03-29 14:12:33.000000 UTC 2026-03-29 14:12:46.000000 UTC - - -
**** 24292 13832 msedge.exe 0xcf0f74adb080 14 - 6 False 2026-03-29 11:16:30.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=ja --service-sandbox-type=audio --skip-read-main-dll --metrics-shmem-handle=5284,i,18222844722283119483,4965874619559977075,524288 --field-trial-handle=2416,i,10090542469194116029,14277677499041878799,262144 --variations-seed-version --pseudonymization-salt-handle=2420,i,5677195297526739616,3531604635189780866,4 --trace-process-track-uuid=3190709010674959568 --mojo-platform-channel-handle=1528 /prefetch:12 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
**** 8760 13832 msedge.exe 0xcf0f78132080 14 - 6 False 2026-03-29 13:18:22.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=ja --js-flags=--ms-user-locale=ja_JP --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=183 --time-ticks-at-unix-epoch=-1774483329593003 --launch-time-ticks=306972494636 --skip-read-main-dll --metrics-shmem-handle=10564,i,10263624083723650228,2344173902041576294,2097152 --field-trial-handle=2416,i,10090542469194116029,14277677499041878799,262144 --variations-seed-version --pseudonymization-salt-handle=2420,i,5677195297526739616,3531604635189780866,4 --trace-process-track-uuid=3190709157790529861 --mojo-platform-channel-handle=6448 /prefetch:1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
**** 25612 13832 msedge.exe 0xcf0f88cd9080 11 - 6 False 2026-03-29 11:15:44.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=ja --service-sandbox-type=service --startup-read-main-dll --metrics-shmem-handle=2896,i,1061042348122228180,14733986313932781808,524288 --field-trial-handle=2416,i,10090542469194116029,14277677499041878799,262144 --variations-seed-version --pseudonymization-salt-handle=2420,i,5677195297526739616,3531604635189780866,4 --trace-process-track-uuid=3190708990060038890 --mojo-platform-channel-handle=2652 /prefetch:13 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
**** 13228 13832 msedge.exe 0xcf0f7e639240 10 - 6 False 2026-03-29 11:16:44.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=ja --service-sandbox-type=search_indexer --message-loop-type-ui --skip-read-main-dll --metrics-shmem-handle=10072,i,6165548529489645957,6595408836193511620,524288 --field-trial-handle=2416,i,10090542469194116029,14277677499041878799,262144 --variations-seed-version --pseudonymization-salt-handle=2420,i,5677195297526739616,3531604635189780866,4 --trace-process-track-uuid=3190709014423126964 --mojo-platform-channel-handle=7540 /prefetch:14 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
**** 18928 13832 msedge.exe 0xcf0f6b98d080 23 - 6 False 2026-03-29 11:15:43.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=SAAAAAAAAADgAAAEAAAAAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=d3d11-warp-webgl --startup-read-main-dll --metrics-shmem-handle=2232,i,6066599745757972484,3469512019874941405,262144 --field-trial-handle=2416,i,10090542469194116029,14277677499041878799,262144 --variations-seed-version --pseudonymization-salt-handle=2420,i,5677195297526739616,3531604635189780866,4 --trace-process-track-uuid=3190708988185955192 --mojo-platform-channel-handle=2404 /prefetch:2 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
**** 22644 13832 msedge.exe 0xcf0f64d3b080 23 - 6 False 2026-03-29 11:15:43.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ja --service-sandbox-type=none --startup-read-main-dll --metrics-shmem-handle=2628,i,5634964532108937702,10457538121506892517,524288 --field-trial-handle=2416,i,10090542469194116029,14277677499041878799,262144 --variations-seed-version --pseudonymization-salt-handle=2420,i,5677195297526739616,3531604635189780866,4 --trace-process-track-uuid=3190708989122997041 --mojo-platform-channel-handle=2516 /prefetch:11 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
**** 22552 13832 msedge.exe 0xcf0f6cf66080 9 - 6 False 2026-03-29 11:15:43.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\悠輝\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\悠輝\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=146.0.7680.166 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=146.0.3856.84 --initial-client-data=0x264,0x268,0x26c,0x260,0x274,0x7fffb9d034d8,0x7fffb9d034e4,0x7fffb9d034f0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
**** 24188 13832 msedge.exe 0xcf0f7a317080 30 - 6 False 2026-03-29 11:15:50.000000 UTC N/A \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=ja --js-flags=--ms-user-locale=ja_JP --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --time-ticks-at-unix-epoch=-1774483329593003 --launch-time-ticks=299620799336 --skip-read-main-dll --metrics-shmem-handle=9016,i,12607789552282059531,18316255274734178555,2097152 --field-trial-handle=2416,i,10090542469194116029,14277677499041878799,262144 --variations-seed-version --pseudonymization-salt-handle=2420,i,5677195297526739616,3531604635189780866,4 --trace-process-track-uuid=3190709003178624776 --mojo-platform-channel-handle=5204 /prefetch:1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
*** 10932 16976 debian.exe 0xcf0f731b8080 4 - 6 False 2026-03-29 14:10:04.000000 UTC N/A \Device\HarddiskVolume3\Program Files\WindowsApps\TheDebianProject.DebianGNULinux_1.24.0.0_x64__76v4gfsz19hv4\debian.exe "C:\Program Files\WindowsApps\TheDebianProject.DebianGNULinux_1.24.0.0_x64__76v4gfsz19hv4\debian.exe" C:\Program Files\WindowsApps\TheDebianProject.DebianGNULinux_1.24.0.0_x64__76v4gfsz19hv4\debian.exe
**** 25664 10932 conhost.exe 0xcf0f7b715080 2 - 6 False 2026-03-29 14:10:04.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\conhost.exe \??\C:\WINDOWS\system32\conhost.exe 0x4 C:\WINDOWS\system32\conhost.exe
**** 20396 10932 wsl.exe 0xcf0f6b2f5080 1 - 6 False 2026-03-29 14:10:04.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\wsl.exe C:\WINDOWS\system32\wsl.exe ~ --distribution Debian C:\WINDOWS\system32\wsl.exe
*** 23628 16976 SecurityHealth 0xcf0f607e9080 1 - 6 False 2026-03-29 11:15:27.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\SecurityHealthSystray.exe "C:\Windows\System32\SecurityHealthSystray.exe" C:\Windows\System32\SecurityHealthSystray.exe
* 6892 19484 dwm.exe 0xcf0f6130d080 68 - 6 False 2026-03-29 07:58:47.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\dwm.exe "dwm.exe" C:\WINDOWS\System32\dwm.exe
5676 24964 Discord.exe 0xcf0f780e5080 54 - 6 False 2026-03-29 11:15:21.000000 UTC N/A \Device\HarddiskVolume3\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe "C:\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe" C:\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe
* 17956 5676 Discord.exe 0xcf0f8aed0080 15 - 6 False 2026-03-29 11:15:22.000000 UTC N/A \Device\HarddiskVolume3\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe "C:\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ja --service-sandbox-type=none --user-data-dir="C:\Users\悠輝\AppData\Roaming\discord" --standard-schemes=disclip --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --streaming-schemes=disclip --field-trial-handle=1784,i,13439529987668311866,1351910273622748155,262144 --enable-features=EnableTransparentHwndEnlargement --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,ScreenAIOCREnabled,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2024 /prefetch:11 C:\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe
* 440 5676 Discord.exe 0xcf0f78487080 7 - 6 False 2026-03-29 11:15:25.000000 UTC N/A \Device\HarddiskVolume3\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe "C:\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=ja --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\悠輝\AppData\Roaming\discord" --standard-schemes=disclip --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --streaming-schemes=disclip --field-trial-handle=1784,i,13439529987668311866,1351910273622748155,262144 --enable-features=EnableTransparentHwndEnlargement --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,ScreenAIOCREnabled,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:12 C:\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe
* 6632 5676 Discord.exe 0xcf0f7fad6080 7 - 6 False 2026-03-29 11:15:22.000000 UTC N/A \Device\HarddiskVolume3\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe C:\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\悠輝\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\悠輝\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9230 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=37.6.0 --initial-client-data=0x4e4,0x4e8,0x4ec,0x4dc,0x4f0,0x7ff73528b074,0x7ff73528b080,0x7ff73528b090 C:\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe
* 5260 5676 Discord.exe 0xcf0f631a4080 49 - 6 False 2026-03-29 11:15:22.000000 UTC N/A \Device\HarddiskVolume3\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe "C:\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\悠輝\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1784,i,13439529987668311866,1351910273622748155,262144 --enable-features=EnableTransparentHwndEnlargement --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,ScreenAIOCREnabled,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1776 /prefetch:2 C:\ProgramData\悠輝\Discord\app-1.0.9230\Discord.exe
16148 17412 Service.exe 0xcf0f7e076080 228 - 6 False 2026-03-29 11:15:29.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games\current\service\Service.exe "C:\Program Files\Google\Play Games\current\service\Service.exe" /bg C:\Program Files\Google\Play Games\current\service\Service.exe
* 14020 16148 crashpad_handl 0xcf0f626b7080 6 - 6 False 2026-03-29 11:15:31.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games\current\emulator\crashpad_handler.exe "C:\Program Files\Google\Play Games\current\emulator\crashpad_handler.exe" --no-rate-limit "--database=C:\Users\悠輝\AppData\Local\Google\Play Games\CrashReporting\Crashpad" --url=https://clients2.google.com/cr/report --annotation=bss_session=67c19add-b371-4a0a-86d6-f59864f65b55 --annotation=channel=Beta "--annotation=cpu=11th Gen Intel(R) Core(TM) i7-11700 @ 2.50GHz" --annotation=gpu_hw_scheduler=True --annotation=prod=Battlestar "--annotation=system=MouseComputer ILeDXi-R059" --annotation=ver=26.3.469.0 --annotation=whpx=True "--attachment=C:\Users\悠輝\AppData\Local\Google\Play Games\Logs\emulator_logs\vk_abort_mem_info.log" "--attachment=C:\Users\悠輝\AppData\Local\Google\Play Games\Logs\emulator_logs\gpu_crash_dump.bin" --initial-client-data=0xa18,0xa1c,0xa20,0x9f4,0xa24,0x7fffc758f8a0,0x7fffc758f8b0,0x7fffc758f8c0 C:\Program Files\Google\Play Games\current\emulator\crashpad_handler.exe
** 14304 23812 crosvm.exe 0xcf0f847de080 154 - 6 False 2026-03-29 11:16:23.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games\current\emulator\crosvm.exe "C:\Program Files\Google\Play Games\current\emulator\crosvm.exe" run-main --bootstrap 1924 C:\Program Files\Google\Play Games\current\emulator\crosvm.exe
** 24544 23812 crosvm.exe 0xcf0f864dd080 43 - 6 False 2026-03-29 11:16:23.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games\current\emulator\crosvm.exe - -
** 10948 23812 crosvm.exe 0xcf0f683860c0 30 - 6 False 2026-03-29 11:16:23.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games\current\emulator\crosvm.exe "C:\Program Files\Google\Play Games\current\emulator\crosvm.exe" run-metrics --bootstrap 1452 C:\Program Files\Google\Play Games\current\emulator\crosvm.exe
** 7912 23812 crosvm.exe 0xcf0f79fd8080 43 - 6 False 2026-03-29 11:16:23.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games\current\emulator\crosvm.exe "C:\Program Files\Google\Play Games\current\emulator\crosvm.exe" device block --bootstrap 2492 C:\Program Files\Google\Play Games\current\emulator\crosvm.exe
** 11816 23812 crosvm.exe 0xcf0f7f0e0080 11 - 6 False 2026-03-29 11:16:23.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games\current\emulator\crosvm.exe "C:\Program Files\Google\Play Games\current\emulator\crosvm.exe" run-slirp --bootstrap 3400 C:\Program Files\Google\Play Games\current\emulator\crosvm.exe
** 17340 23812 crosvm.exe 0xcf0f7ea90080 11 - 6 False 2026-03-29 11:16:23.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games\current\emulator\crosvm.exe "C:\Program Files\Google\Play Games\current\emulator\crosvm.exe" device net --bootstrap 3836 C:\Program Files\Google\Play Games\current\emulator\crosvm.exe
** 18032 23812 conhost.exe 0xcf0f848ed080 2 - 6 False 2026-03-29 11:16:21.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\conhost.exe \??\C:\WINDOWS\system32\conhost.exe 0x4 C:\WINDOWS\system32\conhost.exe
** 5972 23812 crosvm.exe 0xcf0f8250b080 43 - 6 False 2026-03-29 11:16:23.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games\current\emulator\crosvm.exe "C:\Program Files\Google\Play Games\current\emulator\crosvm.exe" device block --bootstrap 2132 C:\Program Files\Google\Play Games\current\emulator\crosvm.exe
** 20756 23812 crosvm.exe 0xcf0f7e41b080 146 - 6 False 2026-03-29 11:16:23.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games\current\emulator\crosvm.exe "C:\Program Files\Google\Play Games\current\emulator\crosvm.exe" device gpu --bootstrap 5616 C:\Program Files\Google\Play Games\current\emulator\crosvm.exe
** 10520 23812 crosvm.exe 0xcf0f7e2c8080 9 - 6 False 2026-03-29 11:16:23.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games\current\emulator\crosvm.exe - -
** 21180 23812 crosvm.exe 0xcf0f8250c080 44 - 6 False 2026-03-29 11:16:23.000000 UTC N/A \Device\HarddiskVolume3\Program Files\Google\Play Games\current\emulator\crosvm.exe "C:\Program Files\Google\Play Games\current\emulator\crosvm.exe" device block --bootstrap 2836 C:\Program Files\Google\Play Games\current\emulator\crosvm.exe
* 17468 16148 bstrace.exe 0xcf0f82ec50c0 0 - 6 False 2026-03-29 11:16:21.000000 UTC 2026-03-29 11:16:21.000000 UTC \Device\HarddiskVolume3\Program Files\Google\Play Games\current\emulator\bstrace.exe - -
21732 15068 msiexec.exe 0xcf0f882ec080 0 - 0 False 2026-03-29 11:25:18.000000 UTC 2026-03-29 11:25:30.000000 UTC \Device\HarddiskVolume3\Windows\System32\msiexec.exe - -
13392 15068 msiexec.exe 0xcf0f7a54b080 0 - 0 False 2026-03-29 11:25:34.000000 UTC 2026-03-29 11:25:35.000000 UTC \Device\HarddiskVolume3\Windows\System32\msiexec.exe - -
21024 15068 msiexec.exe 0xcf0f82e240c0 0 - 0 False 2026-03-29 11:25:35.000000 UTC 2026-03-29 11:25:36.000000 UTC \Device\HarddiskVolume3\Windows\System32\msiexec.exe - -
19932 15068 msiexec.exe 0xcf0f6d7c0080 0 - 0 True 2026-03-29 11:25:36.000000 UTC 2026-03-29 11:25:36.000000 UTC \Device\HarddiskVolume3\Windows\SysWOW64\msiexec.exe - -
0 120259084365 0xcf0f72988080 0 - - True 1601-01-01 07:02:20.000000 UTC 1601-01-01 05:14:57.000000 UTC - - -
* 4 0 System 0xcf0f4c4bf040 415 - N/A False 2026-03-26 00:02:27.000000 UTC N/A - - -
** 808 4 smss.exe 0xcf0f55dce040 2 - N/A False 2026-03-26 00:02:27.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\smss.exe \SystemRoot\System32\smss.exe \SystemRoot\System32\smss.exe
** 236 4 Secure System 0xcf0f4c6e3040 0 - N/A False 2026-03-26 00:02:17.000000 UTC N/A - - -
** 276 4 Registry 0xcf0f4c7d0040 4 - N/A False 2026-03-26 00:02:17.000000 UTC N/A Registry - -
** 3380 4 MemCompression 0xcf0f5e11c040 66 - N/A False 2026-03-26 00:04:05.000000 UTC N/A MemCompression - -
201275099022152 155344671703180 �
0xcf0f6ede5080 1140850689 - - True - 1557-10-12 23:12:29.000000 UTC - - -
前回と同じく、長ーーーい出力が出てきました。しかし、よく見てみるとwindows.pslist.PsListよりパラメーターが多い?
確認すると、
Audit Cmd Path
の3つが増えていました。
- Audit:プロセスに設定された監査情報
- Cmd:プロセスのコマンドライン情報
- Path:実行プログラム(exe)のあるフルパス
AuditとCmdが少し難しいですが、Auditはプロセスのログをどう残すかの設定で、
Cmdはプロセスを作成 == プログラムを実行した時のコマンドラインに指定した実行命令が入っています。
出力の「*」 (アスタリスク)の数はディレクトリの深さに比例します。(多いほど深い)
例えば、前回調べたlsass.exe,services.exeは、PPIDが1220のwininit.exeに属していることがわかります。
しかし、wininit.exe及びcsrss.exeはどの親プロセスに属しているのか分かりませんでした(PPIDは1068ってあるのになんでやー)
出力をぼんやり見ていくと、services.exe(PID:1308)を親に持つプロセスがたくさん見られます。
おそらく、その内のほとんどがsvchost.exeだと思います。
さらにその下にWidgets.exeやsmartscreen.exeがあることも出力から読み取れます。
図にするとこんな感じです。
csrss.exe (PID 1132)
wininit.exe (PID 1220)
└─ services.exe (PID 1308)
└─ svchost.exe (PID 1544)
├─ OpenConsole.exe (PID 3488)
├─ smartscreen.exe (PID 12612)
├─ CrossDeviceService.exe (PID 18632)
├─ Widgets.exe (PID 5544)
├─ RuntimeBroker.exe (PID 11304)
├─ StartMenuExperienceHost.exe (PID 3884)
├─ WmiPrvSE.exe (PID 18060)
└─ SearchHost.exe (PID 7500)
前回より、構造がわかればプロセスの分類がわかる! ...と言いたいところだったのですが、分類を意識するよりはservices.exe,svchost.exe配下でいろんなexeが動いているなどの、親子関係を理解するほうがいい気がしました。(公式な分類はされていないから)
唯一判断できる部分としては、プロセスのパラメータであるSessionIDが0の時にシステム or サービスのセッション、1以上の時にユーザーのセッションで動くぐらい...?
(セッションとはその範囲の実行空間のことです)
完全とはいかないけれども、そのプロセスがシステム or サービス側かユーザ側かぐらいは判断できると思います、多分。
あくまでプロセスの分類は、メモリ内部を理解する上での補助的な役割しか持たないと考えたほうがいいです。
続いて気になる部分はここです。
* 4 0 System 0xcf0f4c4bf040 415 - N/A False 2026-03-26 00:02:27.000000 UTC N/A - - -
** 808 4 smss.exe 0xcf0f55dce040 2 - N/A False 2026-03-26 00:02:27.000000 UTC N/A \Device\HarddiskVolume3\Windows\System32\smss.exe \SystemRoot\System32\smss.exe \SystemRoot\System32\smss.exe
** 236 4 Secure System 0xcf0f4c6e3040 0 - N/A False 2026-03-26 00:02:17.000000 UTC N/A - - -
** 276 4 Registry 0xcf0f4c7d0040 4 - N/A False 2026-03-26 00:02:17.000000 UTC N/A Registry - -
見た感じプロセスの中でも特に重要そうな感じがします。
図にするとこうなります。
System (PID 4)
├─ smss.exe (PID 808)
├─ Secure System (PID 236)
├─ MemCompression (PID 3380)
└─ Registry (PID 276)
- System:カーネル本体
- Secure System:めっちゃセキュアな専用領域(OSとは別)
- MemCompression:メモリ領域を圧縮するカーネル機能
- smss.exe:ユーザセッションを作成するプロセス
- Registry:レジストリのカーネル管理部分
※System,MemCompression,Registryに関しては、pstreeやpslistでプロセスとして表示されますが、実際はカーネル機能です。(Secure Systemもまた別)
プロセスの大まかな親子関係がわかったので、今回はこの辺で終わりたいと思います。次回は未定ですが、Volatility3のコマンドはまだまだあるし、ダンプ内のレジストリやカーネルについても今後見たいと思います。
余談
一応、今回紹介したwindows.pslist.PsListのパラメータの一つであるcmdだけを見たいとき、
$ vol3 -f memdump.mem windows.cmdline.CmdLine
とすれば、プロセス起動時のコマンドライン情報が見れます。(pstreeで十分じゃん...)