Skip to content

Instantly share code, notes, and snippets.

@jpluimers

jpluimers/image1.werfault.exe.process-properties.for-parent-process-id-41292.txt

Created January 8, 2024 18:03
Show Gist options
  • Save jpluimers/7d6034602f3ebb7ac1fbf61d1f9dfa99 to your computer and use it in GitHub Desktop.
Save jpluimers/7d6034602f3ebb7ac1fbf61d1f9dfa99 to your computer and use it in GitHub Desktop.
Download ZIP
WerFault.exe screenshot OCR of the images in https://twitter.com/0gtweet/status/1744399577791201382
Raw
image1.werfault.exe.process-properties.for-parent-process-id-41292.txt
Event Properties - Event 1, Sysmon
General Details
Process Create:
RuleName: -
UtcTime: 2024-01-08 16:28:07.892
ProcessGuid: {b566ceed-2297-659c-9f78-030000005700}
Processid: 42396
Image: C:\Windows\System32\WerFault.exe
FileVersion: 10.0.19041.3636 (WinBuild.160101.0800)
Description: Windows Problem Reporting
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: WerFault.exe
CommandLine: C:\Windows\system32\WerFault.exe -u -p 41292 -s 184
CurrentDirectory: C:\Windows\system32\
User: AzureAD\Grzegorz Tworek
LogonGuid: (b566ceed-e5e3-6578-21f4-230000000000}
Logonid: 0x23F421
TerminalSessionld: 1
IntegrityLevel: High
Hashes: MD5=CEAD0523EFB1D9C1474E0D3D507AE0FC
ParentProcessGuid: (b566ceed-2297-659c-9b78-030000005700)
ParentProcessld: 41292
Parentimage: C:\temp\wer1\Crash1.exe
ParentCommandLine: Crash1.exe
ParentUser: AzureAD\Grzegorz Tworek
Raw
image2.WerFault.exe.txt
Event Properties - Event 1, Kernel-Process
General
Details
Friendly View
XML View
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-Process" Guid="{22fb2cd6-0e7b-422b-a0c7- 2fad1fd0e716}" />
<EventID>1</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000010</Keywords>
<TimeCreated SystemTime="2024-01-08T16:28:07.8461869Z" />
<EventRecordID>18</EventRecordID>
<Correlation />
<Execution ProcessID="22812" ThreadID="42592" />
<Channel />
<Computer>NUC</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessID">29764</Data>
<Data Name="ProcessSequenceNumber">227485</Data>
<Data Name="CreateTime">2024-01-08T16:28:07.8461556Z</Data>
<Data Name="ParentProcessID">22812</Data>
<Data Name="ParentProcessSequenceNumber">227484</Data>
<Data Name="SessionID">0</Data>
<Data Name="Flags">0</Data>
<Data Name="ProcessTokenElevationType">1</Data>
<Data Name="ProcessTokenIsElevated">1</Data>
<Data Name="MandatoryLabel">S-1-16-16384</Data>
<Data Name="ImageChecksum">625976</Data>
<Data Name="ImageName">\Device\HarddiskVolume5\Windows\System32\WerFault.exe</Data>
<Data Name="TimeDateStamp">2514205344</Data>
<Data Name="PackageFullName" />
<Data Name="PackageRelativeAppId" />
</EventData>
</Event>
Raw
image3.svchost.exe.txt
Event Properties - Event 1, Kernel-Process
General
Details
Friendly View
XML View
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-Process" Guid="{22fb2cd6-0e7b-422b-a0c7-
2fad1fd0e716}" />
<EventID>1</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000010</Keywords>
<TimeCreated SystemTime="2024-01-08T16:28:07.8139345Z" />
<EventRecordID>17</EventRecordID>
<Correlation />
<Execution ProcessID="1236" ThreadID="22836" />
<Channel />
<Computer>NUC</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessID">22812</Data>
<Data Name="ProcessSequenceNumber">227484</Data>
<Data Name="CreateTime">2024-01-08T16:28:07.8138709Z</Data>
<Data Name="ParentProcessID">1236</Data>
<Data Name="ParentProcessSequenceNumber">13</Data>
<Data Name="SessionID">0</Data>
<Data Name="Flags">0</Data>
<Data Name="ProcessTokenElevationType">1</Data>
<Data Name="ProcessTokenIsElevated">1</Data>
<Data Name="MandatoryLabel">S-1-16-16384</Data>
<Data Name="ImageChecksum">84133</Data>
<Data Name="ImageName">\Device\Harddisk Volume5\Windows\System32\svchost.exe</Data>
<Data Name="TimeDateStamp">304989603</Data>
<Data Name="PackageFullName" />
<Data Name="PackageRelativeAppId" />
</EventData>
</Event>
Raw
image4.Crash1.exe.txt
Event Properties - Event 1, Kernel-Process
General
Details
Friendly View
XML View
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-Process" Guid="{22fb2cd6-0e7b-422b-a0c7- 2fad1fd0e716}" />
<EventID>1</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000010</Keywords>
<TimeCreated SystemTime="2024-01-08T16:28:07.7773984Z" />
<EventRecordID>16</EventRecordID>
<Correlation />
<Execution ProcessID="23068" ThreadID="23612" />
<Channel />
<Computer>NUC</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessID">41292</Data>
<Data Name="ProcessSequenceNumber">227483</Data>
<Data Name="CreateTime">2024-01-08T16:28:07.7773578Z</Data>
<Data Name="ParentProcessID">23068</Data>
<Data Name="ParentProcessSequenceNumber">13907</Data>
<Data Name="SessionID">1</Data>
<Data Name="Flags">0</Data>
<Data Name="ProcessTokenElevationType">2</Data>
<Data Name="ProcessTokenIsElevated">1</Data>
<Data Name="MandatoryLabel">S-1-16-12288</Data>
<Data Name="ImageName">\Device\Harddisk Volume5\temp\wer1\Crash1.exe</Data>>
<Data Name="ImageChecksum">0</Data>
<Data Name="TimeDateStamp">1704729487</Data>
<Data Name="PackageFullName" />
<Data Name="PackageRelativeAppId" />
</EventData>
</Event>
@jpluimers
Copy link
Author

From the Tweet

Image 1:

image

Image 2:

image

Image 3:

image

Image 4:

image

Text:

Did you ever see a faulty process launching WerFault.exe as its child? Well... Windows is cheating! It's not the crashing process job, and the parent PID spoofing happens here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment