Each Process in the Windows operating system points to its parent process which is basically the creator process. However, if the creator process or what so-called parent process is killed, the Information related to that process won't be updated therefore the child process might refer to a non-existent process.

We will be conducting an experiment to show the Child/Parent process relationship in Windows. So let’s prove that windows don’t keep track of not more than 1 parent process ID. Let’s demonstrate a simple process list first before we dive into the example

  1. press "WIN + R"
  2. type "cmd"
  3. press "Enter"
  4. type "tasklist /svc"

You should get a long list of running processes as shown in the following image:

As you can see the list above shows the parent/child process relationship, so as you can see windows maintains the processes by assigning Process IDs (PID), we have multiple running processes, windows won't be able to identify the process of the process creator because windows only maintain and identifies the creator process ID. To prove that windows don't keep track of more than just the parent process ID. I will be showing you an example.
  1. press "WIN+R"
  2. type "cmd"
  3. press "Enter"
  4. type "title parent"

  5. type "start cmd"

</div> As you can see we spawned another cmd from the first cmd we have launched that we named "parent"

6.type "title child"
7. type "mspaint" in the child command prompt to launch Microsoft paint.
8. Now close the child command prompt by typing in "exit". After you do that you will notice that Microsoft paint remains open even tho we have closed the terminal we spawned it from. 9. Launch your task manager, you can do that by pressing " CTRL + Shift +Esc". 10.Locate the cmd process we have running which falls under the name "parent"
                                        As you can see the parent process is shown. 11. Right-click the Windows Command Processor then click on Go to Details.
12.Right-click the cmd.exe process and select End process tree. this will terminate all processes in the tree As you can see the "parent" command prompt will disappear but MSPaint will still be running because it was the grandchild of the process we have terminated which is the whole tree that had the "parent" cmd process meaning that MSPaint is the grandchild of the parent process. Because the intermediate process was killed, there was no link between the parent and the grandchild. I really hope you guys enjoyed this basic little article I wrote and this might come in handy for some people out there I just wanted to blog this thing about windows :) Hussein A. Muhaisen

<
Blog Archive
Archive of all previous blog posts
>
Next Post
The early ai jailbreak