How to Investigate Suspicious Process Activity on Windows

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
When an alert fires on a suspicious process: powershell.exe spawned by Word.exe, cmd.exe with an encoded command line, certutil.exe downloading from an external URL: the investigation follows a consistent pattern: understand the process creation context, examine what it did (network, file, registry), identify persistence, and determine scope.
This guide covers the tools and commands for each investigation step, in the order they should be executed.
Step 1: Process Creation Context
The most revealing aspect of a suspicious process is how it was created: what launched it, with what arguments, and under what user account.
Via Windows Event Log (requires 'Audit Process Creation' + command-line logging policy):
# Enable command-line logging if not already enabled
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' -Name ProcessCreationIncludeCmdLine_Enabled -Value 1
# Find process creation events for a specific process
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
Where-Object { $_.Message -match 'powershell.exe' } |
Select-Object TimeCreated, @{N='ProcessName';E={$_.Properties[5].Value}},
@{N='CommandLine';E={$_.Properties[8].Value}},
@{N='ParentProcess';E={$_.Properties[13].Value}},
@{N='User';E={$_.Properties[1].Value}} |
Sort-Object TimeCreated -Descending | Select-Object -First 20
Via Sysmon (Event ID 1: process creation): Sysmon provides more detail than native event logging:
# Query Sysmon process creation events
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -FilterXPath "*[System[EventID=1] and EventData[Data[@Name='Image'] and (Data='C:\Windows\System32\powershell.exe')]]" |
ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
Image = $xml.Event.EventData.Data | Where-Object Name -eq 'Image' | Select-Object -ExpandProperty '#text'
CommandLine = $xml.Event.EventData.Data | Where-Object Name -eq 'CommandLine' | Select-Object -ExpandProperty '#text'
ParentImage = $xml.Event.EventData.Data | Where-Object Name -eq 'ParentImage' | Select-Object -ExpandProperty '#text'
ParentCommandLine = $xml.Event.EventData.Data | Where-Object Name -eq 'ParentCommandLine' | Select-Object -ExpandProperty '#text'
User = $xml.Event.EventData.Data | Where-Object Name -eq 'User' | Select-Object -ExpandProperty '#text'
Hashes = $xml.Event.EventData.Data | Where-Object Name -eq 'Hashes' | Select-Object -ExpandProperty '#text'
}
}
High-suspicion parent-child combinations:
- Word.exe / Excel.exe spawning powershell.exe, cmd.exe, or wscript.exe (macro execution)
- browser process spawning cmd.exe or powershell.exe (browser exploit)
- services.exe spawning cmd.exe with an encoded command line (service-based persistence)
- msiexec.exe spawning cmd.exe (malicious installer)
- Any process spawning certutil.exe, mshta.exe, regsvr32.exe, or bitsadmin.exe with network arguments
Step 2: Sysinternals Live Investigation
For a live system, Sysinternals tools provide immediate visibility.
Process Explorer: the first tool to open:
Download: https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
Run as Administrator
Process Explorer shows the full process tree, CPU/memory usage, and the DLLs loaded by each process. Right-click any process > Properties > Strings tab to see embedded strings (URLs, IP addresses, file paths).
Configure VirusTotal integration: Options > VirusTotal.com > Check VirusTotal.com. This checks each process's hash against VirusTotal: processes with positive detections appear highlighted in red.
Key indicators in Process Explorer:
- Process without a parent (orphaned): suggests the parent was killed or the process was launched by malware that terminated itself
- Process running from a temp directory (%TEMP%, %APPDATA%, C:\Windows\Temp): highly suspicious
- Two processes with the same name but one has a different path (svchost.exe not in C:\Windows\System32 is always suspicious)
- Process with a VirusTotal positive count > 0
Process Monitor: what the process is doing:
Download: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
Run as Administrator
Process Monitor captures all file system, registry, and network activity in real time. To investigate a specific process:
- Filter > Add Filter > Process Name > is > suspicious.exe > Include
- Look for: file writes to startup locations (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup), network connection events, reads of credential stores
Autoruns: persistence discovery:
Download: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
Run as Administrator with VirusTotal integration enabled (Options > Scan Options > Check VirusTotal.com)
Autoruns shows every startup location and mechanism in Windows. Malware persistence is highlighted by VirusTotal hits or entries in unusual locations. Sort by 'Image Not Found' (deleted persistence that still has a registry entry) and 'Entry Date' (recently created entries).
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Step 3: Network Connection Investigation
After understanding the process, identify its network activity.
Current connections (live system):
# All current network connections with process names and PIDs
Get-NetTCPConnection -State Established |
Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort,
@{N='Process';E={(Get-Process -Id $_.OwningProcess).ProcessName}}, OwningProcess |
Where-Object { $_.RemoteAddress -notmatch '^(127\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.)' } |
Sort-Object Process
# Or with netstat (includes process names)
netstat -b -n -o
Historical network connections from Sysmon (Event ID 3: network connection):
$startTime = (Get-Date).AddHours(-24)
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -FilterXPath "*[System[EventID=3 and TimeCreated[@SystemTime>='$($startTime.ToUniversalTime().ToString("o"))')]]" |
ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
Image = ($xml.Event.EventData.Data | Where-Object Name -eq 'Image').'#text'
DestinationIp = ($xml.Event.EventData.Data | Where-Object Name -eq 'DestinationIp').'#text'
DestinationPort = ($xml.Event.EventData.Data | Where-Object Name -eq 'DestinationPort').'#text'
DestinationHostname = ($xml.Event.EventData.Data | Where-Object Name -eq 'DestinationHostname').'#text'
}
} | Where-Object { $_.Image -match 'suspicious|powershell|cmd' }
Threat intelligence lookup on discovered IPs:
# Quick VirusTotal lookup via API (requires free API key)
$ip = '1.2.3.4'
$apiKey = $env:VT_API_KEY
Invoke-RestMethod -Uri "https://www.virustotal.com/api/v3/ip_addresses/$ip" -Headers @{'x-apikey'=$apiKey} |
Select-Object -ExpandProperty data | Select-Object -ExpandProperty attributes |
Select-Object last_analysis_stats, reputation
Step 4: Determine Scope and Contain
After identifying what the suspicious process did, determine how far the compromise extends.
Check for additional compromised systems using SIEM correlation:
// Microsoft Sentinel: find all systems where the same process hash was seen
DeviceProcessEvents
| where SHA256 == "<hash_of_suspicious_process>"
| distinct DeviceName, AccountName, FileName, ProcessCommandLine
| sort by DeviceName asc
Check for lateral movement from the compromised host:
// Network connections from the compromised host in the compromise window
DeviceNetworkEvents
| where DeviceName == "COMPROMISED-WORKSTATION"
| where Timestamp > datetime(2026-06-26T10:00:00) and Timestamp < datetime(2026-06-26T14:00:00)
| where RemoteIPType != "Private"
| project Timestamp, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName
| sort by Timestamp asc
Document and contain:
- Collect the process image (binary), parent process image, and any dropped files for malware analysis
- Preserve the process memory if live forensics is required:
procdump -ma <PID> process.dmp - Isolate the endpoint (EDR isolation, or network disconnect)
- Report findings: hash of malicious binary, C2 IPs/domains, persistence mechanism found, user account involved, first-seen timestamp
- Hunt for the same indicators across all other endpoints in your environment
The bottom line
Windows process investigation follows four steps: examine process creation context (parent process, command line, user: from Event ID 4688 with command-line logging or Sysmon Event ID 1), use Process Explorer and Process Monitor for live visibility into what the process is doing, investigate network connections from Sysmon Event ID 3 or current connection state, and scope the compromise by hunting the same indicators across other endpoints. Enable Sysmon before an incident: native Windows audit logging lacks the command-line detail needed for effective investigation.
Frequently asked questions
How do you investigate a suspicious process on Windows?
Check the parent process and command-line arguments (Sysmon Event ID 1 or Windows Security Event ID 4688 with command-line logging enabled), open Process Explorer to see the full process tree and loaded DLLs with VirusTotal integration, use Process Monitor to capture file and registry writes, check network connections via Sysmon Event ID 3, and look for persistence via Autoruns.
What Windows event ID logs process creation?
Event ID 4688 in the Windows Security log records process creation, but it only includes command-line arguments if the 'Audit Process Creation' policy is enabled and the command-line audit subcategory is configured (via 'Audit Process Creation Include Command Line' registry setting). Sysmon Event ID 1 is more comprehensive: it includes the process hash, parent command line, and GUID: and is the preferred source for process investigation.
What is Sysmon and how do I deploy it for Windows process monitoring?
Sysmon (System Monitor) is a free Microsoft Sysinternals tool that provides detailed Windows telemetry not available in the native Windows event log: process creation with full command lines and hashes, network connections with process context, registry modifications, file creation timestamps, and driver loads. Deploy: download from Sysinternals, install with 'sysmon64.exe -accepteula -i sysmon-config.xml'. Use a community-maintained config (SwiftOnSecurity or olafhartong/sysmon-modular on GitHub) for a baseline ruleset. Deploy via GPO software installation, Intune, or Ansible at scale. Sysmon logs appear in Event Viewer under Applications and Services Logs > Microsoft > Windows > Sysmon > Operational.
How do I investigate a suspicious parent-child process relationship on Windows?
Suspicious parent-child relationships are a primary malware detection technique. Red flag combinations: Word.exe or Excel.exe spawning cmd.exe or PowerShell.exe (macro-based initial access); browser processes spawning cmd.exe (browser exploit); svchost.exe spawning unexpected child processes (service exploitation); powershell.exe spawning rundll32.exe or mshta.exe (PowerShell-based payload loading). In Sysmon Event ID 1, the ParentCommandLine field shows the exact command that spawned the suspicious process. Cross-reference with network connections (Sysmon Event ID 3) to determine if the process made external connections after launch. Use Process Hacker or Process Monitor on a live system to view the current process tree.
What is LOLBins and why do attackers use them?
LOLBins (Living off the Land Binaries) are legitimate Windows executables that attackers abuse for malicious purposes because they are pre-installed on every Windows system, trusted by application allowlisting, and signed by Microsoft. Common LOLBins: certutil.exe (download files and decode base64), regsvr32.exe (execute arbitrary DLLs), mshta.exe (execute HTA scripts), rundll32.exe (load arbitrary DLLs), wscript.exe/cscript.exe (execute scripts). Attackers prefer LOLBins because they evade signature-based AV detection and blend into normal Windows activity. Detection strategy: alert on LOLBins making outbound network connections, spawning unexpected child processes, or accessing file paths outside their normal scope.
How do you preserve forensic evidence when investigating a suspicious Windows process?
Forensic preservation during a live Windows investigation requires capturing volatile data before it disappears. Collect in order of volatility: running processes and their memory (procdump -ma <PID> process.dmp for targeted capture, or winpmem for full memory acquisition), current network connections (Get-NetTCPConnection output saved to file, or netstat -b -n -o), open handles and loaded DLLs for the suspicious process (handle.exe -p <PID> and listdlls.exe -p <PID> from Sysinternals), and registry run keys and startup locations (Autoruns output saved as CSV). Capture system event logs before they rotate: wevtutil epl Security security.evtx and the Sysmon log. Hash every collected artifact with Get-FileHash using SHA-256 before and after any transfer to document integrity. Avoid rebooting the system until volatile data collection is complete, as memory contents, network connection state, and some process artifacts are lost on reboot. If the endpoint must be reimaged immediately, at minimum capture the process memory dump, event logs, and a full disk image.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
