Last Updated: 2012-07-20 13:56:57 UTC
by Mark Baggett (Version: 1)
Window’s Resource Monitor is a hidden gem within the OS that can be very useful to an incident responder in a crunch. It isn’t as comprehensive as SysInternals Process Monitor but it is built in to Windows so you can use it on a computer with no internet connection. It lacks the depth of WMIC but it does have a very nice GUI (if you are into that sort of thing). In short, resource monitor is a worthy addition to the incident responders toolkit. Resource Monitor isn’t a separate program, but rather it is an operational mode for Performance Monitor (Perfmon.exe). If you start Performance Monitor with the "/res" option you will see the Resource Monitor interface. Click START->Run and type “Perfmon.exe /res” and press Enter. Here is what it looks like.
It has a series of Tabs across the top (Number 1) for Overview, CPU, Memory, Disk and Network. Each of the tabs is broken down into sections that can be expanded or collapsed by clicking the arrow on each section's header (Number 2). The top section on each tab allows you to check a box next to a process names that will apply a filter to the other sections of the tab. So by checking the box next to “Firefox.exe” you will only see disk, memory and network resources associated with the Firefox process. The disk section shows you files that are open by the process. The networking section will show you the fully qualified DNS name for each of the TCP and UDP connections in use by that process. The memory section gives you a quick look at how much memory is in use by the process. That’s about it for the Overview tab. If that didn't tell you everything you wanted you can refer to the CPU, Memory, Disk and Network tabs for more information. Lets take a look at the CPU tab.
The CPU tab has some nice features. By selecting a process you can see all of the OS Handles in use by the process (number 4). It even has a search feature that allows you search all of the open handles. The Modules section (number 5) will show you all of the DLLs that are in use by the process.
I’ll leave the remaining tabs for you to explore on your own. I think you will find that in a pinch resource monitor is a good way for a first responder to get a first look at what is happening on a computer.
Performance monitor used Performance counters and Event Tracing for Windows to capture data from various sources. The "/res" option is one of performance monitors way of displaying that information to you. If you are curious what other modes Performance Monitor has give “perfmon.exe /report” a try. If your want to see how a penetration tester might use Event tracing check out this article.
Join me for SANS 504 Hacker Techniques, Exploits and Incident response in San Antonio Texas November 27th - December 2nd 2012 in San Antonio Texas!
On Twitter @markbaggett