A process is an instance of a program that has been executed in the system. Each process in memory has a private isolated memory space. A process contains the execution code and the data that is required to complete the execution of the code, such as files, DLLs, and user input. All this data and code are located in a memory space allocated for this process.

Many processes can be in the memory at the same time. All the processes are listed in one structure called _EPROCESS in the memory of the running Windows operating system.

Each entry of the _PROCESS structure holds one process with its metadata; the process name, its executable path, parent process, start time, and in some cases, the exit time. The metadata can be used as ...