Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / DFI / MEMORY / DUMP / VOLATILITY / Processes

pstree

Walks ActiveProcessLinks to reconstruct parent/child hierarchy from PsActiveProcessHead

Usage

  • Visualize process parent/child relationships.
  • Identify abnormal spawning chains (e.g., explorer.exe → cmd.exe → powershell.exe).
  • Detect suspicious parentage (Office → child process, browser → cmd, etc.).
  • Quickly spot orphaned or reparented processes.

Misses

  • DKOM-unlinked processes (not in ActiveProcessLinks).
  • Fully hidden processes only discoverable via pool scanning.
  • Parent spoofing artifacts if attacker manipulated EPROCESS fields.

Commands

# Reconstruct process tree (Vol2)
vol.py -f <mem> --profile=<profile> pstree

# Reconstruct process tree (Vol3)
python3 vol.py -f <mem> windows.pstree