# More SysmonMaps and ProcessMapper!

Here is a sample of the processes running on my Windows 8 machine for the past 2 hours:
Sysmonmap of Time Period

This shows tons of interesting information about the boot process. One thing I have noticed is that Google Chrome is noisy.

Also just for kicks I coded an example of the same thing using the native Security log:

To use this make sure Process Creation auditing is enabled. This has been turned on in every environment I have ever worked in but if you are following along at home, here are some fun articles to consider:
http://technet.microsoft.com/en-us/library/dd941613(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/dn535776.aspx

Or go here and turn it on:

Then you can see logs like this:

********Update Code can be found on the GitHub *********

Then use some PowerShell to whip up the same Google Org chart from the last post.

Then you can look at things like this:processmap

Not as sexy as sysmon but this script can be used in most environments without the need to install anything.
Also this PowerShell Script could be pointed at a recovered security log, perhaps from a disk image, instead of a live system.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c8330f58-f2e5-4681-beb2-b2b6a185f818/how-to-geteventlog-for-offline-evtx-files?forum=winserverpowershell

Change:
$events = Get-WinEvent -FilterHashtable @{Logname='Security';Id=4688}|Where-Object { ($_.TimeCreated -gt $StartDate -and$_.TimeCreated -le $StopDate)}|Sort-Object TimeCreated To this:$events = Get-WinEvent -path "c:\pathtosecurity.evtx" -FilterHashtable @{Logname='Security';Id=4688}|Where-Object { ( $_.TimeCreated -gt$StartDate -and $_.TimeCreated -le$StopDate)}|Sort-Object TimeCreated