{ "id": "71cc460c-a46e-405d-8ae0-d95e6a7ae9f1", "created_at": "2026-04-06T00:13:03.713631Z", "updated_at": "2026-04-10T13:13:05.295309Z", "deleted_at": null, "sha1_hash": "ebc2bd2f311bc57614cea7bbe63287ae86e1923b", "title": "Quickpost: SelectMyParent or Playing With the Windows Process Tree", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49443, "plain_text": "Quickpost: SelectMyParent or Playing With the Windows Process\r\nTree\r\nPublished: 2009-11-22 · Archived: 2026-04-05 15:25:18 UTC\r\nQuickpost: SelectMyParent or Playing With the Windows Process Tree\r\nI read something very interesting in “Windows via C/C++” today: starting with Windows Vista, CreateProcess can\r\nstart a program where you specify the parent process! This is something forensic investigators must be aware of\r\nwhen they analyse processes running on a Windows machine.\r\nNormally the parent process of a new process is the process that created the new process (via CreateProcess). But\r\nwhen using STARTUPINFOEX with the right LPPROC_THREAD_ATTRIBUTE_LIST to create a process, you\r\ncan arbitrarely specify the parent process, provided you have the rights (i.e. it’s your process or you have debug\r\nrights).\r\nI developed a small tool to start a program while specifying its parent process: SelectMyParent. Here I use it to\r\nstart notepad as a child of lsass.exe:\r\n2 remarks about this example:\r\n1. to make lsass.exe a parent process, you need to use SelectMyParent with admin rights and elevate its rights\r\n(Run as administrator)\r\n2. the notepad process takes over the parent process’ account: NT AUTHORITY\\SYSTEM\r\nI don’t know how one can detect that a process’ parent is not the process that created it, because a process has no\r\naccess to its extended startup info (only to its startup info). And it is the extended startup info that contains the\r\nattribute list with the handle to the parent process.\r\nSelectMyParent version 0.0.0.1 is available here.\r\nhttps://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/\r\nPage 1 of 2\n\nQuickpost info\r\nSource: https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/\r\nhttps://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/" ], "report_names": [ "quickpost-selectmyparent-or-playing-with-the-windows-process-tree" ], "threat_actors": [], "ts_created_at": 1775434383, "ts_updated_at": 1775826785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ebc2bd2f311bc57614cea7bbe63287ae86e1923b.pdf", "text": "https://archive.orkl.eu/ebc2bd2f311bc57614cea7bbe63287ae86e1923b.txt", "img": "https://archive.orkl.eu/ebc2bd2f311bc57614cea7bbe63287ae86e1923b.jpg" } }