Which of the following queries will return the parent processes responsible for launching badprogram.exe?
Which of the following queries will return the parent processes responsible for launching badprogram.exe?
To find the parent processes responsible for launching badprogram.exe, you first need to identify instances of badprogram.exe and then trace back to their parent processes. The query in option B performs this by using a subsearch to find processrollup2 events where FileName is badprogram.exe. It then renames ParentProcessId_decimal to TargetProcessId_decimal and uses it as a filter for the main search, ultimately counting occurrences by _time. This effectively traces back from badprogram.exe to its parent processes, making option B the most suitable.
Sorry, correct answer is B
Is Letter B. The Parent Process is when rename ParentProcessId_decimal as TargetProcessId_decimal.
This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time.
By renaming TargetProcessld_decimal field to ParentProcessld_decimal, you pivot the targetprocess of badprogram.exe as the child and search for all child process launched by badprogram.exe instead, not the process that spawned badprogram.exe.
Selected Answer: B
You need to combine the field the only way we can do with subsearch
B. To find "parent" you rename ParentProcessID_decimal to TargetProcessID_decimal
B is correct.
query filters for "badprogram.exe" and renames the ParentProcessId_decimal to TargetProcessId_decimal to find the parent processes associated with it. The "stats count by FileName _time" part of the query helps present the results effectively.
For me, correct answer is D