Skip to content
/ process-source-tracer Public

By tracing the parent process chain of a process, it can help you determine the creator of a process and its higher-level creators

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kabeep/process-source-tracer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
bin
bin
 
 
LICENSE
LICENSE
 
 
README-zh_CN.md
README-zh_CN.md
 
 
README.md
README.md
 
 
tracepid.cmd
tracepid.cmd
 
 

Repository files navigation

Note: This document is partially generated by ChatGPT.

Process Source Tracer

English | 简体中文

This project is a utility tool for recursively querying process creators on Windows, similar to the ps CLI in Linux. By tracing the parent process chain of a process, it can help you determine the creator of a process and its higher-level creators, allowing you to assess if the process is friendly and meets your expectations.

Purpose

This utility can be useful in the following scenarios:

  • Finding the origin of a process and understanding who created it.
  • Tracing the hierarchical chain of process creators.
  • Evaluating whether a process is friendly and aligns with your expectations.

How to Use

To use this tool in the cmd:

  1. Clone the project to your local machine or download the project as a zip file.
  2. Open cmd and navigate to the directory where the project is located.
  3. Run the tracepid.cmd command and provide the PID (Process ID) of the target process as a parameter. For example: tracepid.cmd <PID>.
  4. The tool will recursively trace the creators of the target process and display the process information along the creation chain.
  5. Based on the output information, evaluate whether the process is friendly and meets your expectations.

Usage

# Display a list of processes with detailed information
tasklist /V

# Perform a query for a PID that raises doubts
tracepid 10101

Or do something else:

http-server -p 8081
# Error: listen EADDRINUSE: address already in use 0.0.0.0:8081

netstat -ano | findstr 8081
# TCP    0.0.0.0:8081           0.0.0.0:0              LISTENING       38920

tasklist /V | findstr 38920
# node.exe    38920 Console    1    29,608 K    Unknown    DESKTOP-86L4P1F\Administrator    0:00:00    暂缺

tracepid 38920
# Parent Process ID: 26484
# Executable Path:   C:\Program Files\nodejs\node.exe
# Parent Process ID: 5220
# Executable Path:   C:\windows\system32\cmd.exe
# Parent Process ID: 3724
# Executable Path:   C:\Program Files\nodejs\node.exe
# No available instances.
# 
# Parent Process ID: 3724
# Executable Path:   C:\Program Files\nodejs\node.exe
# Reached the root process.
# End of the recursion.

taskkill /f /t /pid 38920
# Success: Terminated the process with PID 38920 (which belongs to the child process of PID 26484).

Please note that this tool is implemented using batch scripting, which may have certain limitations. In some cases, more advanced system tools and programming languages may be required for more detailed and accurate analysis.

About

By tracing the parent process chain of a process, it can help you determine the creator of a process and its higher-level creators

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages