Overview#

You can indirectly track child processes created by a process by monitoring registry set events for the following key HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\<SID>\<Binary>

Examples#

  • Cmd.EXE Creating Rundll32.EXE
image
  • Explorer.EXE Creating Microsoft Paint
image

References#

Related Articles

Other threads in the archive worth reading next.

Field Notes

Persistence Via RegisterAppRestart Shim

Detailed writeup on the `RegisterAppRestart` SHIM, how it can be used to achieve persistence by registering an application for restart after a crash or reboot, and how to leverage built-in application fixes to apply this SHIM without modifying the registry.

Field Notes

Invoke-CommandInDesktopPackage Interesting Tidbit

An interesting tidbit about the Invoke-CommandInDesktopPackage PowerShell cmdlet, which allows you to execute commands in the context of an AppX Package, providing access to virtualized resources such as registry keys and files. This can be particularly useful for gaining insights into the behavior of AppX packages and their interactions with the system.

Field Notes

Why Does MsMpEng Spawn svchost.exe Without Flags?

An RE deep dive at why Microsoft Defender can create an svchost.exe process without the usual service-host command-line flags.