Pid Image Path

[win209]

Hi,

 

In regard to this blog:

 

http://blogs.technet.com/b/thenetworker/archive/2007/12/09/of-file-access-from-the-command-prompt-and-trace-analysis.aspx

 

Did some simultaneous wireshark and Sysinternals process monitor logging and now have an issue with identifing an image path or file/process name associated with the SMB process ID [ Process ID: 65279 ].

 

Process ID: [ 65279 ] value from the SMB packet header.

 

Sysinternals process monitor does not reveal any activity related to that PID. Nor does the Windows task manager.

 

But, wireshark log does show request being sent on behalf of the PID 65279.

 

Reading this KB article [ http://support.microsoft.com/kb/935741/en-us ], I see the PID might be related to a kernel level process.

 

Also, have been unable to find any relevant information here either

 

[ http://msdn.microsoft.com/en-us/library/ee442092%28PROT.10%29.aspx ]

 

So, my question boils down to this: how can I identify an exe file and its location, if any, associated with the PID in question?

 

Thanks.

[ICTCity]

Hi,

 

The most probable thing is that PID 65279 is create as a child of a another process, if so, ProcessMonitor cannot identify it. There's a parent object (physical exe) which creates a new child object (but this time "temporary"). This is just my thought, I could be wrong.

[win209]

Hi,

 

The most probable thing is that PID 65279 is create as a child of a another process, if so, ProcessMonitor cannot identify it. There's a parent object (physical exe) which creates a new child object (but this time "temporary"). This is just my thought, I could be wrong.

 

Thanks for the interest.

 

Actually, the procmon log retains the whole process tree throughout the trace.

 

Anyway, any further insight on the image path identification itself?