3.0.3 Identify Running Processes

Class Activity – Identify Running Processes

Objectives

In this lab, you will use TCP/UDP Endpoint Viewer, a tool in Sysinternals Suite, to identify any running processes on your computer.

Part 1: Download Windows Sysinternals Suite.

Part 2: Start TCP/UDP Endpoint Viewer.

Part 3: Explore the running processes.

Part 4: Explore a user-started process.

Background / Scenario

In this lab, you will explore processes. Processes are programs or applications in execution. You will explore the processes using Process Explorer in the Windows Sysinternals Suite. You will also start and observe a new process.

Required Resources
 1 Windows PC with internet access
Instructions
Part 1:Download Windows Sysinternals Suite.
a.Navigate to the following link to download Windows Sysinternals Suite:

https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

b.After the download is completed, right+click the zip file, and choose Extract All…, to extract the files from the folder. Choose the default name and destination in the Downloads folder and click Extract.
c.Exit the web browser.
Part 2:Start TCP/UDP Endpoint Viewer.
a.Navigate to the SysinternalsSuite folder with all the extracted files.
b.Open Tcpview.exe. Accept the Process Explorer License Agreement when prompted. Click Yes to allow this app to make changes to your device.
c.Exit the File Explorer and close all the currently running applications.
Part 3:Explore the running processes.
a.TCPView lists the process that are currently on your Windows PC. At this time, only Windows processes are running.
b.Double-click lsass.exe.

Question:

What is lsass.exe? In what folder is it located?

lsass.exe stands for Local Security Authority Subsystem Service. Which handles security polices, authentication and active directory. You can find it located in the C:\Windows\System32 folder.

Type your answers here.

c.Close the properties window for lsass.exe when done.
d.View the properties for the other running processes.

Note: Not all processes can be queried for properties information.

Part 4:Explore a user-started process.
a.Open a web browser, such as Microsoft Edge.

Screenshot of TCPView with the web browser processes highlighted.

b.Close the web browser.

Question:

What did you observe in the TCP?

In the new TCPView window, I observe the following:

 Process Information:
 The process lsass.exe (PID 552) is still in the LISTENING state for both TCP and TCPv6 protocols.
 Multiple instances of MicrosoftEdgeCP.exe (PID 5596) are actively connected, indicated by the ESTABLISHED state.
 The services.exe process (PIDs 544 and 540) is also visible, and it appears to be in the LISTENING state on Local Ports 49688 and 49668.
 Color Changes:
 Some of the entries, specifically for MicrosoftEdgeCP.exe, are highlighted in green. This indicates that these connections have recently been established since green typically highlights new connections in TCPView.
 Connection States:
 MicrosoftEdgeCP.exe is connected over multiple local ports (50337, 50338, 50340, etc.) to remote servers, some of which are using HTTPS (msedge.net) or specific IP addresses.
 These connections are established with different remote addresses and use HTTPS as their communication protocol.
 Summary Stats (bottom bar):
 Total Endpoints: 52 (decreased from the previous 65)
 Established: 7 (decreased from 20)
 Listening: 18 (unchanged)
 Time Wait: 0
 Close Wait: 6 (unchanged)

Screenshot of TCPview showing the browser processes in red.

c.Reopen the web browser. Research some of the processes listed in TCPView. Record your findings.

In the TCPView window, I observe the following:

 Process Information:
· The process highlighted is lsass.exe (Local Security Authority Subsystem Service) with PID 552.
· Another instance of lsass.exe is running with the same PID but using TCPv6 protocol.
· Multiple instances of MicrosoftEdgeCP.exe (Microsoft Edge Content Process) are visible, all with the PID 5596 and different local ports.
 Connection States:
· lsass.exe is in the LISTENING state on both TCP and TCPv6.
· The MicrosoftEdgeCP.exe processes are in the ESTABLISHED state, indicating they have active connections.
 Protocol Information:
· The protocols in use are TCP and TCPv6.
· lsass.exe is listening on Local Port 49669 for TCP and Local Port 49669 for TCPv6.
· The MicrosoftEdgeCP.exe instances use different local ports and are connected to remote servers using HTTPS.
 Port Information:
· The Local Ports for MicrosoftEdgeCP.exe range from 50337 to 50344.
· The Remote Address for these connections corresponds to various domains and IP addresses, mostly associated with Microsoft (e.g., msedge.net).
 Overall Statistics (at the bottom):
· Endpoints: 65
· Established: 20
 Listening: 18
 Time Wait: 0
 Close Wait: 6
 Type your answers here.
 End of document