Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / DFI / MEMORY / DUMP / VOLATILITY / Processes

pslist

Walks ActiveProcess linked list (PsActiveProcessHead)

Usage

  • Baseline OS-visible processes.

Misses

  • DKOM unlinked processes

Commands

# List active processes (Vol2)  
vol.py -f <mem> --profile=<profile> pslist  
  
# List active processes (Vol3)  
python3 vol.py -f <mem> windows.pslist