matthewdunwoody
commented
8 years ago Additional details on updated win10 4688: https://technet.microsoft.com/en-us/library/mt431757(v=vs.85).aspx
Closed matthewdunwoody closed 8 years ago
matthewdunwoody
commented
8 years ago Additional details on updated win10 4688: https://technet.microsoft.com/en-us/library/mt431757(v=vs.85).aspx
williballenthin
commented
8 years ago looks great, thanks!
There are three pieces to this update.
First, I changed the way that unknown command line arguments are recorded - displaying "UNKNOWN" instead of an empty string. I also added serialization for the command line, which I had overlooked.
Second, I added support for parent process name. Windows 10 added a ParentProcessName event log field in 4688 events. I used this field to supply the correct name to "fake parent process" objects.
Third, I identified a bug which resulted in some children of "fake parent process" objects being dropped from the process tree. I corrected this on line 183.