本「
IT談話館」一般公開記事は、10年以上の実務経験を持つ上級Windowsエンジニアを想定しています。
本館は、Windowsカーネル深層を解析し、クラッシュ原因をはじめとするシステム内の「異様な動き」を検出・分析する
超高度な技術と実績を保有しています。
Windows XP/7/8/10のセッションとプロセス
本「IT談話館」の「一般公開記事」は、「Active Memory Dump とカーネルメモリダンプ」の解析結果を基に起草されています。「本館」主筆の「豊田孝」はDKOM(Direct Kernel Object Manipulation)ベースの解析手法の第一人者であり、Windowsカーネル空間の解析分野では世界の先頭を走っています。
現在、セキュリティー問題を無視することはできません。Microsoft社側の負担だけではなく、同社製品の利用者側の負担も増しています。困ったことではありますが、当面避けられません。セキュリティーの視点から「Windows10ソフトウェアセンサー」を見た場合、本「IT談話館」の確認範囲では、「カーネル層保護ロジック」に加え、次のような保護メカニズム階層が考案・実装されています。下記リンクはすべて本館記事を指しています。
- Silo/Server Silo
- Job
- Session
- Protected Process
- Mandatory Integrity Control(MIC)
- Windows API(+CPU)
- CPU
本稿では、保護メカニズム階層内の比較的上位に位置する上記の「Session」を取り上げます。Windowsシステムにおけるプロセスは、ユーザープロセス、システムプロセス、サービスプロセスの3種類に大別されます。システムプロセスとサービスプロセスは、Windows Vista以降、「セッション切り離し」によりセッション0内で起動され、他のセッション内で動作するユーザープロセスからアクセスされなくなります。
本稿では、このセッション切り離しに着目し、Windows XP/7/8/10それぞれの環境で採取されたカーネルメモリダンプを本「IT談話館」の独自コードで解析し、システムプロセス、サービスプロセス、および、ユーザープロセスの変遷を調査します。
まずは、Vista以降のWindows環境におけるシステムプロセス、サービスプロセス、および、ユーザープロセスを次のように定義しておきます。
- システムプロセスはセッション0内で動作し、SCMの子プロセスではない
- サービスプロセスはセッション0内で動作し、SCMの子プロセスである
- ユーザープロセスはセッション0以外のセッション内で動作し、SCMの子プロセスでもない
それでは、WindowsXP/7/8/10それぞれの環境で採取されたカーネルメモリダンプの解析結果をご覧いただきましょう。Windowsバージョンが上がるに従い、3種類のプロセス構成は激変していきます。Windows Vista以前に発売されていたWindows XPの解析結果からご覧いただきましょう。
kd> vertarget
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Machine Name:
Kernel base = 0x804d9000 PsLoadedModuleList = 0x8055c620
Debug session time: Wed Jun 4 19:50:12.855 2008 (UTC + 9:00)
System Uptime: 0 days 0:09:06.425
No.001: Parent: 0x00000 Child: 0x00004 System
No.002: Parent: 0x00004 Child: 0x00198 smss.exe
No.003: Parent: 0x00198 Child: 0x001c8 SessionId->0 System Process csrss.exe
No.004: Parent: 0x00198 Child: 0x001e0 SessionId->0 System Process winlogon.exe
No.005: Parent: 0x001e0 Child: 0x0020c SessionId->0 System Process services.exe
No.006: Parent: 0x001e0 Child: 0x00218 SessionId->0 System Process lsass.exe
No.007: Parent: 0x0020c Child: 0x002d4 SessionId->0 Service Process svchost.exe
No.008: Parent: 0x0020c Child: 0x00314 SessionId->0 Service Process svchost.exe
No.009: Parent: 0x0020c Child: 0x00358 SessionId->0 Service Process svchost.exe
No.010: Parent: 0x0020c Child: 0x003a0 SessionId->0 Service Process blinksvc.exe
No.011: Parent: 0x0020c Child: 0x003d8 SessionId->0 Service Process svchost.exe
No.012: Parent: 0x002d4 Child: 0x00400 SessionId->0 System Process blinkrm.exe
No.013: Parent: 0x0020c Child: 0x00514 SessionId->0 Service Process spoolsv.exe
No.014: Parent: 0x0020c Child: 0x00560 SessionId->0 Service Process alg.exe
No.015: Parent: 0x0020c Child: 0x00598 SessionId->0 Service Process mdm.exe
No.016: Parent: 0x0020c Child: 0x005c0 SessionId->0 Service Process tcpsvcs.exe
No.017: Parent: 0x0020c Child: 0x005e0 SessionId->0 Service Process snmp.exe
No.018: Parent: 0x0020c Child: 0x00658 SessionId->0 Service Process wdfmgr.exe
No.019: Parent: 0x0020c Child: 0x006c8 SessionId->0 Service Process EEYEEVNT.exe
No.020: Parent: 0x00358 Child: 0x005a8 SessionId->0 System Process wuauclt.exe
No.021: Parent: 0x001bc Child: 0x004bc SessionId->0 System Process explorer.exe
No.022: Parent: 0x002d4 Child: 0x005d4 SessionId->0 System Process wmiprvse.exe
No.023: Parent: 0x004bc Child: 0x0095c SessionId->0 System Process hkcmd.exe
No.024: Parent: 0x004bc Child: 0x00964 SessionId->0 System Process jusched.exe
No.025: Parent: 0x004bc Child: 0x00970 SessionId->0 System Process reader_sl.exe
No.026: Parent: 0x004bc Child: 0x00984 SessionId->0 System Process ctfmon.exe
No.027: Parent: 0x004bc Child: 0x009b8 SessionId->0 System Process BLINK.EXE
この情報は本「IT談話館」の独自解析コードの実行結果のほんの一部です。この結果を見ると、Windows Vista以前は、すべてのプロセスが「SessionId->0」内で起動されていたことになります。また、この実行結果では、「System」と「smss.exe」の2つのプロセスがSessionIdを持たない特別な存在のように扱われていますが、実際には、「SessionId->0」と「System Process」という2つの特性を持っています(「別稿参照」)。
セキュリティー的には、同一セッション空間をすべてのプロセスが共有していますから、いろいろな危険性が残されています。また、この情報は、Windowsシステムのスタートアップからのプロセス起動順を示していますから、「ユーザー名」と「パスワード」の入力画面を表示し、トークンを作成する「winlogon.exe」プロセスの起動順とその親プロセスに注目しておいてください。親プロセスが乗っ取られれば、その影響は子プロセスに及びます。Windowsバージョンが上がるに従い、セキュリティー向上への工夫からプロセス間の親子関係は複雑になっていきます(「別稿参照」)。
Windows Vista以降に発売されたWindows 7環境ではどのように改善されたのでしょう。
4: kd> vertarget
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.22616.amd64fre.win7sp1_ldr.140303-2307
Machine Name:
Kernel base = 0xfffff800`03a54000 PsLoadedModuleList = 0xfffff800`03c98890
Debug session time: Sat Sep 20 09:58:01.081 2014 (UTC + 9:00)
System Uptime: 0 days 2:46:44.174
No.001: Parent: 0x00000 Child: 0x00004 System
No.002: Parent: 0x00004 Child: 0x001ac smss.exe
No.003: Parent: 0x001f4 Child: 0x0023c SessionId->0 System Process csrss.exe
No.004: Parent: 0x001ac Child: 0x002ac SessionId->0 System Process psxss.exe
No.005: Parent: 0x002b4 Child: 0x002c0 SessionId->1 User Process csrss.exe
No.006: Parent: 0x001f4 Child: 0x002cc SessionId->0 System Process wininit.exe
No.007: Parent: 0x002cc Child: 0x002f8 SessionId->0 System Process services.exe
No.008: Parent: 0x002cc Child: 0x00308 SessionId->0 System Process lsass.exe
No.009: Parent: 0x002cc Child: 0x00310 SessionId->0 System Process lsm.exe
No.010: Parent: 0x002b4 Child: 0x00330 SessionId->1 User Process winlogon.exe
No.011: Parent: 0x002f8 Child: 0x003a4 SessionId->0 Service Process svchost.exe
No.012: Parent: 0x002f8 Child: 0x003f4 SessionId->0 Service Process nvvsvc.exe
No.013: Parent: 0x002f8 Child: 0x00184 SessionId->0 Service Process svchost.exe
No.014: Parent: 0x002f8 Child: 0x003e8 SessionId->0 Service Process svchost.exe
No.015: Parent: 0x002f8 Child: 0x00408 SessionId->0 Service Process svchost.exe
No.016: Parent: 0x002f8 Child: 0x00430 SessionId->0 Service Process svchost.exe
No.017: Parent: 0x002f8 Child: 0x00450 SessionId->0 Service Process svchost.exe
No.018: Parent: 0x003e8 Child: 0x004d8 SessionId->0 System Process audiodg.exe
No.019: Parent: 0x002f8 Child: 0x00524 SessionId->0 Service Process CTAudSvc.exe
No.020: Parent: 0x002f8 Child: 0x00578 SessionId->0 Service Process svchost.exe
No.021: Parent: 0x002f8 Child: 0x005ec SessionId->0 Service Process svchost.exe
No.022: Parent: 0x003f4 Child: 0x00610 SessionId->1 User Process nvxdsync.exe
No.023: Parent: 0x003f4 Child: 0x00620 SessionId->1 User Process nvvsvc.exe
No.024: Parent: 0x002f8 Child: 0x00704 SessionId->0 Service Process spoolsv.exe
No.025: Parent: 0x002f8 Child: 0x00754 SessionId->0 Service Process svchost.exe
No.026: Parent: 0x002f8 Child: 0x007dc SessionId->0 Service Process armsvc.exe
No.027: Parent: 0x002f8 Child: 0x00520 SessionId->0 Service Process CLMSMonitorSer
No.028: Parent: 0x002f8 Child: 0x005b8 SessionId->0 Service Process CLMSServerPDVD
No.029: Parent: 0x00520 Child: 0x00604 SessionId->0 System Process CLMSServerPDVD
No.030: Parent: 0x002f8 Child: 0x0053c SessionId->0 Service Process ekrn.exe
No.031: Parent: 0x002f8 Child: 0x00720 SessionId->0 Service Process svchost.exe
No.032: Parent: 0x002f8 Child: 0x00724 SessionId->0 Service Process LMS.exe
No.033: Parent: 0x002f8 Child: 0x00824 SessionId->0 Service Process mbae-svc.exe
No.034: Parent: 0x002f8 Child: 0x00864 SessionId->0 Service Process mdm.exe
No.035: Parent: 0x00824 Child: 0x008dc SessionId->0 System Process mbae64.exe
No.036: Parent: 0x002f8 Child: 0x009ec SessionId->0 Service Process sqlservr.exe
No.037: Parent: 0x002f8 Child: 0x00a1c SessionId->0 Service Process nTuneService.e
No.038: Parent: 0x002f8 Child: 0x00a98 SessionId->0 Service Process o2flash.exe
No.039: Parent: 0x002f8 Child: 0x00ab8 SessionId->0 Service Process PnkBstrA.exe
No.040: Parent: 0x002f8 Child: 0x00af4 SessionId->0 Service Process Rebit-Pro-Svc.
No.041: Parent: 0x002f8 Child: 0x00be0 SessionId->0 Service Process TCPSVCS.EXE
No.042: Parent: 0x002f8 Child: 0x00bf4 SessionId->0 Service Process snmp.exe
No.043: Parent: 0x002f8 Child: 0x00784 SessionId->0 Service Process svchost.exe
No.044: Parent: 0x002f8 Child: 0x00a10 SessionId->0 Service Process ThpSrv.exe
No.045: Parent: 0x002f8 Child: 0x00ab4 SessionId->0 Service Process TODDSrv.exe
No.046: Parent: 0x002f8 Child: 0x00c18 SessionId->0 Service Process TosCoSrv.exe
No.047: Parent: 0x002f8 Child: 0x00c7c SessionId->0 Service Process TecoService.ex
No.048: Parent: 0x002f8 Child: 0x00cac SessionId->0 Service Process UNS.exe
No.049: Parent: 0x002f8 Child: 0x00cc4 SessionId->0 Service Process svchost.exe
No.050: Parent: 0x002f8 Child: 0x00cd8 SessionId->0 Service Process svchost.exe
No.051: Parent: 0x002f8 Child: 0x00d00 SessionId->0 Service Process WLIDSVC.EXE
No.052: Parent: 0x002f8 Child: 0x00d78 SessionId->0 Service Process SearchIndexer.
No.053: Parent: 0x00d00 Child: 0x00db0 SessionId->0 System Process WLIDSVCM.EXE
No.054: Parent: 0x002f8 Child: 0x00e08 SessionId->0 Service Process nfsclnt.exe
No.055: Parent: 0x003a4 Child: 0x00f78 SessionId->0 System Process WmiPrvSE.exe
No.056: Parent: 0x002f8 Child: 0x01044 SessionId->0 Service Process svchost.exe
No.057: Parent: 0x00408 Child: 0x010e8 SessionId->0 System Process WUDFHost.exe
No.058: Parent: 0x003a4 Child: 0x01228 SessionId->0 System Process WmiPrvSE.exe
No.059: Parent: 0x002f8 Child: 0x01354 SessionId->1 User Process taskhost.exe
No.060: Parent: 0x00408 Child: 0x013dc SessionId->1 User Process dwm.exe
No.061: Parent: 0x013d4 Child: 0x013e4 SessionId->1 User Process explorer.exe
No.062: Parent: 0x00a1c Child: 0x010d8 SessionId->1 User Process nTuneCmd.exe
No.063: Parent: 0x013e4 Child: 0x01174 SessionId->1 User Process SynTPEnh.exe
No.064: Parent: 0x003a4 Child: 0x01180 SessionId->1 User Process explorer.exe
No.065: Parent: 0x013e4 Child: 0x009dc SessionId->1 User Process TPwrMain.exe
No.066: Parent: 0x013e4 Child: 0x00d08 SessionId->1 User Process SmoothView.exe
No.067: Parent: 0x013e4 Child: 0x00740 SessionId->1 User Process TCrdMain.exe
No.068: Parent: 0x01174 Child: 0x012a8 SessionId->1 User Process SynTPHelper.ex
No.069: Parent: 0x013e4 Child: 0x012ac SessionId->1 User Process Teco.exe
No.070: Parent: 0x013e4 Child: 0x01008 SessionId->1 User Process ThpSrv.exe
No.071: Parent: 0x00740 Child: 0x01384 SessionId->1 User Process TCrdKBB.exe
No.072: Parent: 0x013e4 Child: 0x00640 SessionId->1 User Process TosNcCore.exe
No.073: Parent: 0x013e4 Child: 0x007e4 SessionId->1 User Process TosReelTimeMon
No.074: Parent: 0x013e4 Child: 0x00ae0 SessionId->1 User Process HDMICtrlMan.ex
No.075: Parent: 0x013e4 Child: 0x012b8 SessionId->1 User Process XBoxStat.exe
No.076: Parent: 0x002f8 Child: 0x012b4 SessionId->0 Service Process wmpnetwk.exe
No.077: Parent: 0x00974 Child: 0x001e8 SessionId->1 User Process SmartAudio.exe
No.078: Parent: 0x013e4 Child: 0x01018 SessionId->1 User Process DashUI.exe
No.079: Parent: 0x002f8 Child: 0x00538 SessionId->0 Service Process svchost.exe
No.080: Parent: 0x00450 Child: 0x01450 SessionId->1 User Process taskeng.exe
No.081: Parent: 0x01450 Child: 0x0148c SessionId->1 User Process NDSTray.exe
No.082: Parent: 0x00ae0 Child: 0x014d4 SessionId->1 User Process HCMSoundChange
No.083: Parent: 0x013e4 Child: 0x01560 SessionId->1 User Process LCore.exe
No.084: Parent: 0x013e4 Child: 0x0156c SessionId->1 User Process rundll32.exe
No.085: Parent: 0x013e4 Child: 0x01574 SessionId->1 User Process rundll32.exe
No.086: Parent: 0x013e4 Child: 0x0157c SessionId->1 User Process egui.exe
No.087: Parent: 0x013e4 Child: 0x017b0 SessionId->1 User Process SkyDrive.exe
No.088: Parent: 0x013e4 Child: 0x017d0 SessionId->1 User Process sidebar.exe
No.089: Parent: 0x013e4 Child: 0x017e0 SessionId->1 User Process Power2GoExpres
No.090: Parent: 0x013e4 Child: 0x00df4 SessionId->1 User Process TosBtMng.exe
No.091: Parent: 0x003a4 Child: 0x01448 SessionId->0 System Process dllhost.exe
No.092: Parent: 0x001e4 Child: 0x01728 SessionId->1 User Process IAStorIcon.exe
No.093: Parent: 0x001e4 Child: 0x01744 SessionId->1 User Process TWebCamera.exe
No.094: Parent: 0x013e4 Child: 0x0120c SessionId->1 User Process ONENOTEM.EXE
No.095: Parent: 0x002f8 Child: 0x016d4 SessionId->0 Service Process CFIWmxSvcs64.e
No.096: Parent: 0x001e4 Child: 0x01530 SessionId->1 User Process ToshibaService
No.097: Parent: 0x001e4 Child: 0x00c34 SessionId->1 User Process VolPanlu.exe
No.098: Parent: 0x001e4 Child: 0x0180c SessionId->1 User Process SBRecon.exe
No.099: Parent: 0x001e4 Child: 0x01820 SessionId->1 User Process PowerDVD13Agen
No.100: Parent: 0x001e4 Child: 0x019a4 SessionId->1 User Process mbae.exe
No.101: Parent: 0x001e4 Child: 0x01b1c SessionId->1 User Process rundll32.exe
No.102: Parent: 0x001e4 Child: 0x01a18 SessionId->1 User Process jusched.exe
No.103: Parent: 0x002f8 Child: 0x01a98 SessionId->0 Service Process TosBtSrv.exe
No.104: Parent: 0x002f8 Child: 0x01bf0 SessionId->0 Service Process CFSvcs.exe
No.105: Parent: 0x002f8 Child: 0x0147c SessionId->0 Service Process AL6Licensing.e
No.106: Parent: 0x002f8 Child: 0x01b08 SessionId->0 Service Process CTAELicensing.
No.107: Parent: 0x002f8 Child: 0x01aec SessionId->0 Service Process DkService.exe
No.108: Parent: 0x002f8 Child: 0x01a14 SessionId->0 Service Process TPCHSrv.exe
No.109: Parent: 0x002f8 Child: 0x01830 SessionId->0 Service Process TosSmartSrv.ex
No.110: Parent: 0x00444 Child: 0x01ca8 SessionId->1 User Process TosSENotify.ex
No.111: Parent: 0x00394 Child: 0x01ddc SessionId->1 User Process TPCHWMsg.exe
No.112: Parent: 0x0148c Child: 0x01e80 SessionId->1 User Process CFSwMgr.exe
No.113: Parent: 0x00df4 Child: 0x01ec0 SessionId->1 User Process TosA2dp.exe
No.114: Parent: 0x002f8 Child: 0x01f0c SessionId->0 Service Process TurboBoost.exe
No.115: Parent: 0x01c90 Child: 0x01f20 SessionId->0 System Process GoogleUpdate.e
No.116: Parent: 0x002f8 Child: 0x01fd0 SessionId->0 Service Process IAStorDataMgrS
No.117: Parent: 0x01f20 Child: 0x01fe4 SessionId->0 System Process GoogleCrashHan
No.118: Parent: 0x00df4 Child: 0x01c78 SessionId->1 User Process TosBtHid.exe
No.119: Parent: 0x01f20 Child: 0x01bec SessionId->0 System Process GoogleCrashHan
No.120: Parent: 0x00df4 Child: 0x01ccc SessionId->1 User Process TosBtHSP.exe
No.121: Parent: 0x002f8 Child: 0x01e94 SessionId->0 Service Process PresentationFo
No.122: Parent: 0x002f8 Child: 0x0216c SessionId->0 Service Process TMachInfo.exe
No.123: Parent: 0x00824 Child: 0x018b4 SessionId->0 System Process mbae64.exe
No.124: Parent: 0x00824 Child: 0x018f0 SessionId->0 System Process mbae64.exe
No.125: Parent: 0x021b8 Child: 0x02108 SessionId->1 User Process Arc.exe
No.126: Parent: 0x02108 Child: 0x02004 SessionId->1 User Process ArcOSBrowser.e
No.127: Parent: 0x0192c Child: 0x00d50 SessionId->1 User Process crypticError.e
No.128: Parent: 0x01178 Child: 0x01948 SessionId->1 User Process iexplore.exe
No.129: Parent: 0x01948 Child: 0x01a34 SessionId->1 User Process iexplore.exe
No.130: Parent: 0x01948 Child: 0x023a0 SessionId->1 User Process iexplore.exe
No.131: Parent: 0x014e4 Child: 0x0234c SessionId->1 User Process crypticError.e
No.132: Parent: 0x01f8c Child: 0x017ec SessionId->1 User Process GameClient.exe
No.133: Parent: 0x017ec Child: 0x01c58 SessionId->1 User Process ArcOSOverlay.e
ご覧のように、動作中のプロセスは、セッション単位で分離されています。「winlogon.exe」プロセスの親プロセスは、XP時代の「smss.exe」プロセスではなく、正体不明のプロセス「0x002b4」となっています。このようなセキュリティー向上策は、Windows 8.1でもそのまま継承されるのでしょうか。
2: kd> vertarget
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 9600.17238.amd64fre.winblue_gdr.140723-2018
Machine Name:
Kernel base = 0xfffff801`6868c000 PsLoadedModuleList = 0xfffff801`68956350
Debug session time: Thu Oct 9 00:34:44.270 2014 (UTC + 9:00)
System Uptime: 0 days 13:38:52.140
No.001: Parent: 0x00000 Child: 0x00004 System
No.002: Parent: 0x00004 Child: 0x00150 smss.exe
No.003: Parent: 0x001f4 Child: 0x00208 SessionId->0 System Process csrss.exe
No.004: Parent: 0x001f4 Child: 0x00288 SessionId->0 System Process wininit.exe
No.005: Parent: 0x00288 Child: 0x002f4 SessionId->0 System Process services.exe
No.006: Parent: 0x00288 Child: 0x002fc SessionId->0 System Process lsass.exe
No.007: Parent: 0x002f4 Child: 0x00354 SessionId->0 Service Process svchost.exe
No.008: Parent: 0x002f4 Child: 0x00388 SessionId->0 Service Process svchost.exe
No.009: Parent: 0x002f4 Child: 0x00124 SessionId->0 Service Process nvvsvc.exe
No.010: Parent: 0x002f4 Child: 0x00184 SessionId->0 Service Process svchost.exe
No.011: Parent: 0x002f4 Child: 0x002bc SessionId->0 Service Process svchost.exe
No.012: Parent: 0x002f4 Child: 0x00398 SessionId->0 Service Process svchost.exe
No.013: Parent: 0x002f4 Child: 0x00424 SessionId->0 Service Process svchost.exe
No.014: Parent: 0x002f4 Child: 0x004bc SessionId->0 Service Process svchost.exe
No.015: Parent: 0x002f4 Child: 0x0050c SessionId->0 Service Process AsLdrSrv.exe
No.016: Parent: 0x002f4 Child: 0x00558 SessionId->0 Service Process GFNEXSrv.exe
No.017: Parent: 0x00424 Child: 0x00598 SessionId->0 System Process wlanext.exe
No.018: Parent: 0x00598 Child: 0x005a0 SessionId->0 System Process conhost.exe
No.019: Parent: 0x002f4 Child: 0x005f4 SessionId->0 Service Process spoolsv.exe
No.020: Parent: 0x002f4 Child: 0x00614 SessionId->0 Service Process svchost.exe
No.021: Parent: 0x002f4 Child: 0x00630 SessionId->0 Service Process svchost.exe
No.022: Parent: 0x002f4 Child: 0x006f0 SessionId->0 Service Process armsvc.exe
No.023: Parent: 0x002f4 Child: 0x0070c SessionId->0 Service Process AppleMobileDev
No.024: Parent: 0x002f4 Child: 0x00734 SessionId->0 Service Process InsOnSrv.exe
No.025: Parent: 0x002f4 Child: 0x0075c SessionId->0 Service Process mDNSResponder.
No.026: Parent: 0x002f4 Child: 0x0077c SessionId->0 Service Process officeclicktor
No.027: Parent: 0x002f4 Child: 0x007b4 SessionId->0 Service Process DptfParticipan
No.028: Parent: 0x002f4 Child: 0x007e8 SessionId->0 Service Process DptfPolicyConf
No.029: Parent: 0x002f4 Child: 0x0040c SessionId->0 Service Process DptfPolicyCrit
No.030: Parent: 0x00424 Child: 0x00434 SessionId->0 System Process dasHost.exe
No.031: Parent: 0x002f4 Child: 0x00484 SessionId->0 Service Process DptfPolicyLpmS
No.032: Parent: 0x002f4 Child: 0x00518 SessionId->0 Service Process EvtEng.exe
No.033: Parent: 0x002f4 Child: 0x005e0 SessionId->0 Service Process GfExperienceSe
No.034: Parent: 0x002f4 Child: 0x00830 SessionId->0 Service Process NIS.exe
No.035: Parent: 0x002f4 Child: 0x00894 SessionId->0 Service Process NvNetworkServi
No.036: Parent: 0x002f4 Child: 0x0092c SessionId->0 Service Process nvstreamsvc.ex
No.037: Parent: 0x002f4 Child: 0x00968 SessionId->0 Service Process RegSrvc.exe
No.038: Parent: 0x002f4 Child: 0x00980 SessionId->0 Service Process svchost.exe
No.039: Parent: 0x002f4 Child: 0x009a8 SessionId->0 Service Process ZeroConfigServ
No.040: Parent: 0x00354 Child: 0x009e4 SessionId->0 System Process unsecapp.exe
No.041: Parent: 0x00354 Child: 0x00a50 SessionId->0 System Process WmiPrvSE.exe
No.042: Parent: 0x002f4 Child: 0x00b68 SessionId->0 Service Process svchost.exe
No.043: Parent: 0x0092c Child: 0x00c10 SessionId->0 System Process nvstreamsvc.ex
No.044: Parent: 0x00c10 Child: 0x00c18 SessionId->0 System Process conhost.exe
No.045: Parent: 0x00734 Child: 0x00a28 SessionId->1 User Process InsOnWMI.exe
No.046: Parent: 0x002f4 Child: 0x01154 SessionId->0 Service Process SearchIndexer.
No.047: Parent: 0x008e4 Child: 0x011e8 SessionId->0 System Process GoogleCrashHan
No.048: Parent: 0x008e4 Child: 0x0128c SessionId->0 System Process GoogleCrashHan
No.049: Parent: 0x002f4 Child: 0x01318 SessionId->0 Service Process devmonsrv.exe
No.050: Parent: 0x002f4 Child: 0x0137c SessionId->0 Service Process obexsrv.exe
No.051: Parent: 0x002f4 Child: 0x013e0 SessionId->0 Service Process IntelMeFWServi
No.052: Parent: 0x002f4 Child: 0x004d4 SessionId->0 Service Process jhi_service.ex
No.053: Parent: 0x002f4 Child: 0x006bc SessionId->0 Service Process LMS.exe
No.054: Parent: 0x002f4 Child: 0x00ca8 SessionId->0 Service Process wmpnetwk.exe
No.055: Parent: 0x002f4 Child: 0x015b8 SessionId->0 Service Process iPodService.ex
No.056: Parent: 0x01ccc Child: 0x00130 SessionId->2 User Process csrss.exe
No.057: Parent: 0x01ccc Child: 0x00af4 SessionId->2 User Process winlogon.exe
No.058: Parent: 0x00af4 Child: 0x00f7c SessionId->2 User Process dwm.exe
No.059: Parent: 0x00124 Child: 0x0175c SessionId->2 User Process nvxdsync.exe
No.060: Parent: 0x00124 Child: 0x00748 SessionId->2 User Process nvvsvc.exe
No.061: Parent: 0x00424 Child: 0x0149c SessionId->2 User Process TabTip.exe
No.062: Parent: 0x0050c Child: 0x01e28 SessionId->2 User Process HControl.exe
No.063: Parent: 0x00734 Child: 0x01570 SessionId->2 User Process InsOnWMI.exe
No.064: Parent: 0x00830 Child: 0x00fb0 SessionId->2 User Process NIS.exe
No.065: Parent: 0x002bc Child: 0x00868 SessionId->2 User Process taskhostex.exe
No.066: Parent: 0x002bc Child: 0x019a8 SessionId->2 User Process BatteryLife.ex
No.067: Parent: 0x002bc Child: 0x00d98 SessionId->2 User Process USBChargerPlus
No.068: Parent: 0x002bc Child: 0x0134c SessionId->2 User Process ASUS Console S
No.069: Parent: 0x002bc Child: 0x01994 SessionId->2 User Process AsPatchTouchPa
No.070: Parent: 0x002bc Child: 0x01688 SessionId->2 User Process ACMON.exe
No.071: Parent: 0x002bc Child: 0x01dcc SessionId->2 User Process ColorUService.
No.072: Parent: 0x01e28 Child: 0x011a8 SessionId->2 User Process KBFiltr.exe
No.073: Parent: 0x00a44 Child: 0x018cc SessionId->2 User Process ATKOSD2.exe
No.074: Parent: 0x01974 Child: 0x01a14 SessionId->2 User Process DMedia.exe
No.075: Parent: 0x00f70 Child: 0x000f8 SessionId->2 User Process NvBackend.exe
No.076: Parent: 0x01dd8 Child: 0x01d40 SessionId->2 User Process explorer.exe
No.077: Parent: 0x00354 Child: 0x01920 SessionId->2 User Process livecomm.exe
No.078: Parent: 0x00354 Child: 0x011a4 SessionId->2 User Process SkyDrive.exe
No.079: Parent: 0x00424 Child: 0x00b2c SessionId->2 User Process TabTip.exe
No.080: Parent: 0x00b2c Child: 0x0086c SessionId->2 User Process TabTip32.exe
No.081: Parent: 0x0175c Child: 0x00348 SessionId->2 User Process nvtray.exe
No.082: Parent: 0x00354 Child: 0x01250 SessionId->2 User Process RuntimeBroker.
No.083: Parent: 0x00bb4 Child: 0x0160c SessionId->2 User Process AsusTPLoader.e
No.084: Parent: 0x0160c Child: 0x01b5c SessionId->2 User Process QuickGesture64
No.085: Parent: 0x0160c Child: 0x00950 SessionId->2 User Process QuickGesture.e
No.086: Parent: 0x0160c Child: 0x00ba4 SessionId->2 User Process AsusTPCenter.e
No.087: Parent: 0x00ba4 Child: 0x01b7c SessionId->2 User Process AsusTPHelper.e
No.088: Parent: 0x01e34 Child: 0x00fc8 SessionId->2 User Process igfxpers.exe
No.089: Parent: 0x00354 Child: 0x0147c SessionId->2 User Process igfxsrvc.exe
No.090: Parent: 0x01d40 Child: 0x00c04 SessionId->2 User Process igfxtray.exe
No.091: Parent: 0x01d40 Child: 0x004ec SessionId->2 User Process hkcmd.exe
No.092: Parent: 0x01d40 Child: 0x01c44 SessionId->2 User Process DptfPolicyLpmS
No.093: Parent: 0x01d40 Child: 0x016d0 SessionId->2 User Process rundll32.exe
No.094: Parent: 0x01d40 Child: 0x01140 SessionId->2 User Process chrome.exe
No.095: Parent: 0x01d40 Child: 0x00e78 SessionId->2 User Process googledrivesyn
No.096: Parent: 0x01d40 Child: 0x00a24 SessionId->2 User Process ScanToPCActiva
No.097: Parent: 0x01d40 Child: 0x006c4 SessionId->2 User Process GROOVE.EXE
No.098: Parent: 0x01140 Child: 0x01468 SessionId->2 User Process chrome.exe
No.099: Parent: 0x01280 Child: 0x01050 SessionId->2 User Process PDVD10Serv.exe
No.100: Parent: 0x01140 Child: 0x0185c SessionId->2 User Process chrome.exe
No.101: Parent: 0x01140 Child: 0x018d0 SessionId->2 User Process chrome.exe
No.102: Parent: 0x01140 Child: 0x00fc4 SessionId->2 User Process chrome.exe
No.103: Parent: 0x01140 Child: 0x00eb4 SessionId->2 User Process chrome.exe
No.104: Parent: 0x01140 Child: 0x01680 SessionId->2 User Process chrome.exe
No.105: Parent: 0x01140 Child: 0x01ec8 SessionId->2 User Process chrome.exe
No.106: Parent: 0x01140 Child: 0x013f4 SessionId->2 User Process chrome.exe
No.107: Parent: 0x01140 Child: 0x00f68 SessionId->2 User Process chrome.exe
No.108: Parent: 0x01140 Child: 0x00624 SessionId->2 User Process chrome.exe
No.109: Parent: 0x01140 Child: 0x0139c SessionId->2 User Process chrome.exe
No.110: Parent: 0x01280 Child: 0x002d8 SessionId->2 User Process jusched.exe
No.111: Parent: 0x01140 Child: 0x0177c SessionId->2 User Process chrome.exe
No.112: Parent: 0x01140 Child: 0x010d8 SessionId->2 User Process chrome.exe
No.113: Parent: 0x01140 Child: 0x01e1c SessionId->2 User Process chrome.exe
No.114: Parent: 0x01140 Child: 0x00298 SessionId->2 User Process chrome.exe
No.115: Parent: 0x01280 Child: 0x01d28 SessionId->2 User Process iTunesHelper.e
No.116: Parent: 0x01280 Child: 0x00824 SessionId->2 User Process hpwuschd2.exe
No.117: Parent: 0x01140 Child: 0x0157c SessionId->2 User Process cmd.exe
No.118: Parent: 0x0157c Child: 0x01ecc SessionId->2 User Process conhost.exe
No.119: Parent: 0x0157c Child: 0x0108c SessionId->2 User Process coNatHst.exe
No.120: Parent: 0x01140 Child: 0x01f20 SessionId->2 User Process nacl64.exe
No.121: Parent: 0x01f20 Child: 0x0187c SessionId->2 User Process nacl64.exe
No.122: Parent: 0x00e78 Child: 0x010b8 SessionId->2 User Process googledrivesyn
No.123: Parent: 0x002bc Child: 0x01af8 SessionId->2 User Process RAVBg64.exe
No.124: Parent: 0x002bc Child: 0x01730 SessionId->2 User Process RAVCpl64.exe
No.125: Parent: 0x00354 Child: 0x00a34 SessionId->2 User Process glcnd.exe
No.126: Parent: 0x00354 Child: 0x0035c SessionId->2 User Process SettingSyncHos
No.127: Parent: 0x01140 Child: 0x01734 SessionId->2 User Process chrome.exe
No.128: Parent: 0x01140 Child: 0x01e80 SessionId->2 User Process chrome.exe
No.129: Parent: 0x01140 Child: 0x007f8 SessionId->2 User Process chrome.exe
No.130: Parent: 0x006c4 Child: 0x00620 SessionId->2 User Process MSOSYNC.EXE
No.131: Parent: 0x01154 Child: 0x01f98 SessionId->0 System Process SearchProtocol
No.132: Parent: 0x01154 Child: 0x01d00 SessionId->0 System Process SearchFilterHo
No.133: Parent: 0x00184 Child: 0x00e14 SessionId->0 System Process audiodg.exe
No.134: Parent: 0x00354 Child: 0x01840 SessionId->2 User Process WWAHost.exe
No.135: Parent: 0x00354 Child: 0x012e4 SessionId->2 User Process BackgroundTran
セッション単位でのプロセスの分離が行われ、Windows 7の解析結果と比較しますと、起動順とプロセス間の親子関係がさらに複雑になっています。Windows 10ではどうなっているでしょう。
1: kd> vertarget
Windows 10 Kernel Version 10240 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10240.16393.amd64fre.th1_st1.150717-1719
Machine Name:
Kernel base = 0xfffff802`2941a000 PsLoadedModuleList = 0xfffff802`2973f030
Debug session time: Mon Aug 3 17:16:15.086 2015 (UTC + 9:00)
System Uptime: 0 days 1:19:12.780
No.001: Parent: 0x00000 Child: 0x00004 System
No.002: Parent: 0x00004 Child: 0x00144 smss.exe
No.003: Parent: 0x001f0 Child: 0x001f8 SessionId->0 System Process csrss.exe
No.004: Parent: 0x001f0 Child: 0x0024c SessionId->0 System Process wininit.exe
No.005: Parent: 0x0024c Child: 0x002b4 SessionId->0 System Process services.exe
No.006: Parent: 0x0024c Child: 0x002c8 SessionId->0 System Process lsass.exe
No.007: Parent: 0x002b4 Child: 0x00318 SessionId->0 Service Process svchost.exe
No.008: Parent: 0x002b4 Child: 0x00350 SessionId->0 Service Process svchost.exe
No.009: Parent: 0x002b4 Child: 0x003a0 SessionId->0 Service Process sppsvc.exe
No.010: Parent: 0x002b4 Child: 0x001b0 SessionId->0 Service Process svchost.exe
No.011: Parent: 0x002b4 Child: 0x00130 SessionId->0 Service Process svchost.exe
No.012: Parent: 0x002b4 Child: 0x00008 SessionId->0 Service Process svchost.exe
No.013: Parent: 0x002b4 Child: 0x00448 SessionId->0 Service Process svchost.exe
No.014: Parent: 0x002b4 Child: 0x00484 SessionId->0 Service Process svchost.exe
No.015: Parent: 0x002b4 Child: 0x00504 SessionId->0 Service Process svchost.exe
No.016: Parent: 0x002b4 Child: 0x005fc SessionId->0 Service Process spoolsv.exe
No.017: Parent: 0x002b4 Child: 0x006f0 SessionId->0 Service Process svchost.exe
No.018: Parent: 0x002b4 Child: 0x00728 SessionId->0 Service Process svchost.exe
No.019: Parent: 0x002b4 Child: 0x00764 SessionId->0 Service Process armsvc.exe
No.020: Parent: 0x002b4 Child: 0x007a8 SessionId->0 Service Process svchost.exe
No.021: Parent: 0x002b4 Child: 0x007e4 SessionId->0 Service Process mqsvc.exe
No.022: Parent: 0x002b4 Child: 0x00704 SessionId->0 Service Process TosCoSrv.exe
No.023: Parent: 0x002b4 Child: 0x00518 SessionId->0 Service Process msdtc.exe
No.024: Parent: 0x002b4 Child: 0x00994 SessionId->0 Service Process dllhost.exe
No.025: Parent: 0x00318 Child: 0x00378 SessionId->0 System Process dllhost.exe
No.026: Parent: 0x002b4 Child: 0x003fc SessionId->0 Service Process MsMpEng.exe
No.027: Parent: 0x002b4 Child: 0x00a90 SessionId->0 Service Process SearchIndexer.
No.028: Parent: 0x002b4 Child: 0x00bb0 SessionId->0 Service Process VSSVC.exe
No.029: Parent: 0x002b4 Child: 0x00b50 SessionId->0 Service Process svchost.exe
No.030: Parent: 0x002b4 Child: 0x00674 SessionId->0 Service Process svchost.exe
No.031: Parent: 0x002b4 Child: 0x0092c SessionId->0 Service Process svchost.exe
No.032: Parent: 0x01a80 Child: 0x003dc SessionId->1 User Process csrss.exe
No.033: Parent: 0x01a80 Child: 0x0140c SessionId->1 User Process winlogon.exe
No.034: Parent: 0x0140c Child: 0x01cc4 SessionId->1 User Process dwm.exe
No.035: Parent: 0x00130 Child: 0x00b70 SessionId->1 User Process sihost.exe
No.036: Parent: 0x00130 Child: 0x00e7c SessionId->1 User Process taskhostw.exe
No.037: Parent: 0x0140c Child: 0x00d3c SessionId->1 User Process userinit.exe
No.038: Parent: 0x00d3c Child: 0x00614 SessionId->1 User Process explorer.exe
No.039: Parent: 0x00318 Child: 0x014a4 SessionId->1 User Process RuntimeBroker.
No.040: Parent: 0x00318 Child: 0x00464 SessionId->1 User Process SearchUI.exe
No.041: Parent: 0x00614 Child: 0x011bc SessionId->1 User Process RAVCpl64.exe
No.042: Parent: 0x00614 Child: 0x010dc SessionId->1 User Process TPwrMain.exe
No.043: Parent: 0x00614 Child: 0x018f4 SessionId->1 User Process SmoothView.exe
No.044: Parent: 0x00614 Child: 0x011c0 SessionId->1 User Process TCrdMain.exe
No.045: Parent: 0x00614 Child: 0x00ce4 SessionId->1 User Process OneDrive.exe
No.046: Parent: 0x002b4 Child: 0x016a8 SessionId->1 User Process svchost.exe
No.047: Parent: 0x00318 Child: 0x01b94 SessionId->1 User Process ImeBroker.exe
No.048: Parent: 0x00318 Child: 0x01d60 SessionId->1 User Process ApplicationFra
No.049: Parent: 0x00318 Child: 0x00a60 SessionId->1 User Process ShellExperienc
No.050: Parent: 0x00008 Child: 0x01d4c SessionId->0 System Process audiodg.exe
No.051: Parent: 0x00614 Child: 0x013d0 SessionId->1 User Process thunderbird.ex
No.052: Parent: 0x00318 Child: 0x01434 SessionId->0 System Process WmiPrvSE.exe
No.053: Parent: 0x00318 Child: 0x011fc SessionId->1 User Process InstallAgent.e
No.054: Parent: 0x01564 Child: 0x01be0 SessionId->1 User Process chrome.exe
No.055: Parent: 0x00614 Child: 0x01bf0 SessionId->1 User Process NotMyfault.exe
No.056: Parent: 0x00a90 Child: 0x01318 SessionId->1 User Process SearchProtocol
No.057: Parent: 0x00a90 Child: 0x01f20 SessionId->0 System Process SearchFilterHo
No.058: Parent: 0x00a90 Child: 0x01f28 SessionId->0 System Process SearchProtocol
この結果を見ると、Windows 7時代とほとんど変化がないように見えます。ところが、新しいビルド番号を持つWindows 10環境では、2000年初頭からのセキュリティー投資効果が次のように反映されています。
1: kd> vertarget
Windows 10 Kernel Version 10586 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10586.162.amd64fre.th2_release_sec.160223-1728
Machine Name:
Kernel base = 0xfffff800`40c7e000 PsLoadedModuleList = 0xfffff800`40f5ccd0
Debug session time: Wed Mar 23 08:01:18.208 2016 (UTC + 9:00)
System Uptime: 0 days 15:55:12.887
No.001: Parent: 0x00000 Child: 0x00004 System
No.002: Parent: 0x00004 Child: 0x0014c smss.exe
No.003: Parent: 0x001d4 Child: 0x001e0 SessionId->0 System Process csrss.exe
No.004: Parent: 0x0014c Child: 0x00220 SessionId->1 User Process smss.exe
No.005: Parent: 0x001d4 Child: 0x00228 SessionId->0 System Process wininit.exe
No.006: Parent: 0x00220 Child: 0x00238 SessionId->1 User Process csrss.exe
No.007: Parent: 0x00228 Child: 0x0026c SessionId->0 System Process services.exe
No.008: Parent: 0x00228 Child: 0x00274 SessionId->0 System Process lsass.exe
No.009: Parent: 0x00220 Child: 0x002b4 SessionId->1 User Process winlogon.exe
No.010: Parent: 0x0026c Child: 0x002f8 SessionId->0 Service Process svchost.exe
No.011: Parent: 0x0026c Child: 0x00324 SessionId->0 Service Process svchost.exe
No.012: Parent: 0x002b4 Child: 0x003b4 SessionId->1 User Process dwm.exe
No.013: Parent: 0x0026c Child: 0x00044 SessionId->0 Service Process svchost.exe
No.014: Parent: 0x0026c Child: 0x00164 SessionId->0 Service Process svchost.exe
[---]
この結果をご覧になる際には、「smss.exe」(セッションマネージャー)と「winlogon.exe」プロセスの親子関係に着目されるとよいでしょう。この2つのプロセス間の関係はWindows XP時代の考え方に逆戻りした(「smss.exe」が「winlogon.exe」を起動する)印象を受けますが、実際には、「smss.exe」(セッションマネージャー)プロセスの親子関係と動作仕様が設計変更され、サンドボックス化が進められています。このような短サイクルでのカーネル内部変更をつぶさに目撃すると、長期に渡るセキュリティー分野への投資効果が今後もカーネルレベルで大胆に、かつ、知らぬ間に実装されてくることを覚悟しないわけにまいりません。また、このようなきわめて重要なカーネル内部仕様の変更情報はタイミングよく公開されることはまず期待できない!、という点も認識しておくべきでしょう。