PROCESS Class (Windows Environment)

Each record in the PROCESS class defines an object consisting of an executable program, a set of virtual memory addresses, and a thread as listed in the Windows Task Manager.
capamsc141
Each record in the PROCESS class defines an object consisting of an executable program, a set of virtual memory addresses, and a thread as listed in the Windows Task Manager.
You cannot create new objects in the PROCESS class using
Privileged Access Manager
.
The key of the PROCESS class record is the name of the executable module of the running program.
The following definitions describe the properties contained in this class record. There are no modifiable properties in this class. Non-modifiable properties are marked
informational
.
  • IMAGE_PATH
    (Informational). The fully qualified path for the specified executable module.
  • PROCESS_ID
    (Informational). The unique identifier of the process. Process ID numbers are reused, so they identify a process only for the lifetime of that process.
Consider the following limitations when using the PROCESS class:
  • Privileged Access Manager
     traces process creation in Windows. However, seosd fetches new process arguments and writes the arguments to the general trace only if the user who started the process is marked to be traced.
  • When a new process is created, its arguments may not be available until the process finishes initialization. seosd attempts to trace the process arguments asynchronously; however if the process is very short, the process may terminate before seosd can fetch the process arguments and write them to the trace. In this case the following message appears in the trace:
    EXECARGS: Not available (87)
  • Process IDs are reused in Windows. If a process is very short, it is theoretically possible that seosd will fetch process arguments for a different process that acquired the same process ID, and write these arguments to the trace.