Operator On The Wire· OOTW · 2026 ·

← Back to Knowledge Base

BLUE TEAM / DFI / MEMORY / DUMP / VOLATILITY / Processes

psscan

Walks Pool scan for EPROCESS objects

Usage

Unlinked processes
Terminated remnants (sometimes)

Misses

Overwritten pool memory
Advanced acquisition tampering

Commands

# Scan for hidden/terminated processes (Vol2)  
vol.py -f <mem> --profile=<profile> psscan  
  
# Scan for hidden/terminated processes (Vol3)  
python3 vol.py -f <mem> windows.psscan