Amazing Tasklist Utility!

by Chetan Gupta, NII Consulting

I was looking for a utility which allows me to remotely access running processes’ list of a suspect machine running Windows OS. I found this wonderful utility which allows to not only view the processses and their PIDs but also filter the processes according to the certain criteria such as username, memory usage, loaded modules, services, status of the services and even Windows title!
The MS description for this command says:
This command line tool displays a list of application(s) and associated task(s)/process(es) currently running on either a local or remote system.

Let me illustrate the power of this command with an example: Suppose, you, as an investigator want to see the processes running on a remote system while the suspect is on the system, you would run the following command (assuming you have the password for a valid user on the system)

C:>TASKLIST.EXE /S 192.168.0.2 /U CORPKUSH /FI "USERNAME ne SYSTEM" /FI "STATUS eq RUNNING"

Here:

The IP of the remote system:192.168.0.2

The domain:CORP

The user being used to connect: KUSH

The above command would enable the investigator to see all the running processes started by the user “KUSH”. He would be able to see any “out of the ordinary” process being run by the user!
For further information about the filters and options supported, just type

c:windowssystem32>tasklist.exe /?

TASKLIST [/S system [/U username [/P [password]]]]
[/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]

……

Happy experimentation!

  •  
  •  
  •  
  •  
  •  
  •  
  •