GCIH · Question #664
Which volatility plugin shows the command line path for a recently launched application?
The correct answer is C. pslist. The pslist Volatility plugin enumerates running processes from the EPROCESS linked list, displaying image paths and command-line arguments used to launch each application.
Question
Which volatility plugin shows the command line path for a recently launched application?
Options
- Ahivelist
- Bdlllist
- Cpslist
- Dnetscan
How the community answered
(30 responses)- A3% (1)
- C90% (27)
- D7% (2)
Why each option
The pslist Volatility plugin enumerates running processes from the EPROCESS linked list, displaying image paths and command-line arguments used to launch each application.
The hivelist plugin locates and displays registry hive structures loaded in memory and provides no information about process command-line paths.
The dlllist plugin enumerates dynamic-link libraries loaded into each process's address space and is not the primary tool for viewing a process launch path.
The pslist plugin walks the doubly-linked EPROCESS list in Windows kernel memory and outputs each process name, PID, PPID, start time, and the full executable path used at launch. This makes it the primary plugin for identifying recently launched applications and their invocation paths during memory forensic analysis. Analysts use start time timestamps within pslist output to focus on processes launched around the time of a suspected incident.
The netscan plugin scans memory pools for active and recently terminated network connection structures and is unrelated to process launch paths.
Concept tested: Volatility pslist plugin for process path analysis
Source: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#pslist
Topics
Community Discussion
No community discussion yet for this question.