Query Details
Identify Unexpected Or Unknown Processes Running From Unusual Paths
Query
Use Case: Filtering and sorting processes to identify and analyze non-system processes running on a Windows computer.
Query:
Process
| where not(Path contains 'C:\\Windows\\'
or Path contains 'C:\\Program Files\\'
or Path contains 'C:\\Program Files (x86)\\'
or Path contains 'C:\\Users\\')
| project ProcessId, ProcessName, Path
| order by ProcessNameExplanation
The query filters and sorts non-system processes running on a Windows computer. It excludes processes with paths containing specific directories like 'C:\Windows', 'C:\Program Files', 'C:\Program Files (x86)', and 'C:\Users'. It then selects and displays the process ID, process name, and path, and finally sorts the results by process name.
Details
Ugur Koc
Released: February 4, 2024
Tables
Process
Keywords
Process,Path,ProcessId,ProcessName
Operators
wherenotcontainsorprojectorder by