Operating System
- 14 Feb 2024
- 2 Minutes to read
- Contributors
- Print
- DarkLight
This documentation version is deprecated, please click here for the latest version.
Operating System
- Updated on 14 Feb 2024
- 2 Minutes to read
- Contributors
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
OS_AUTORUNS_REP
Response from an os_autoruns request.
Platforms:
Sample Event:
{
"TIMESTAMP": 1456194620,
"AUTORUNS": [
{
"REGISTRY_KEY": "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\VMware User Process",
"FILE_PATH": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr",
"HASH": "036608644e3c282efaac49792a2bb2534df95e859e2ddc727cd5d2e764133d14"
},
{
"REGISTRY_KEY": "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\RoccatTyonW",
"FILE_PATH": "\"C:\\Program Files (x86)\\ROCCAT\\Tyon Mouse\\TyonMonitorW.EXE\"",
"HASH": "7d601591625d41aecfb40b4fc770ff6d22094047216c4a3b22903405281e32e1"
},
{ "..." : "..." }
]
}
OS_DRIVERS_REP
Response from an os_drivers request.
Platforms:
Sample Event:
{
"SVCS": [
{
"PROCESS_ID": 0,
"SVC_TYPE": 1,
"SVC_NAME": "1394ohci",
"SVC_STATE": 1,
"HASH": "9ecf6211ccd30273a23247e87c31b3a2acda623133cef6e9b3243463c0609c5f",
"SVC_DISPLAY_NAME": "1394 OHCI Compliant Host Controller",
"EXECUTABLE": "\\SystemRoot\\System32\\drivers\\1394ohci.sys"
},
{
"PROCESS_ID": 0,
"SVC_TYPE": 1,
"SVC_NAME": "3ware",
"SVC_STATE": 1,
"SVC_DISPLAY_NAME": "3ware",
"EXECUTABLE": "System32\\drivers\\3ware.sys"
},
{ "..." : "..." }
]
}
OS_KILL_PROCESS_REP
Response from an os_kill_process request.
Platforms:
Sample Event:
{
"ERROR": 0,
"PROCESS_ID": 579
}
OS_PACKAGES_REP
List of packages installed on the system. This is currently Windows only but will be expanded to MacOS and Linux in the future. It is a response generated by the os_packages command.
Platforms:
Sample Event:
"PACKAGES": [
{
"PACKAGE_NAME": "Microsoft Windows Driver Development Kit Uninstall - 3790.1830"
},
{
"PACKAGE_VERSION": "1.1.40219",
"PACKAGE_NAME": "Microsoft Help Viewer 1.1"
},
{
"PACKAGE_VERSION": "10.0.40219",
"PACKAGE_NAME": "Microsoft Team Foundation Server 2010 Object Model - ENU"
},
{ "..." : "..." }
]
OS_PROCESSES_REP
Response from an os_process request.
Platforms:
Sample Event:
{
"MODULES": 0,
"PROCESSES": [
{
"COMMAND_LINE": "/sbin/init",
"FILE_PATH": "/usr/lib/systemd/systemd",
"HASH": "477209848fabcaf52c060d98287f880845cb07fc9696216dbcfe9b6ea8e72bcd",
"MEMORY_USAGE": 13389824,
"PARENT_PROCESS_ID": 0,
"PROCESS_ID": 1,
"THREADS": 1,
"USER_ID": 0,
"USER_NAME": "root",
"this": "211e57d39796d0f0a3e46407659edfa2"
},
{
"FILE_PATH": "kthreadd",
"PARENT_PROCESS_ID": 0,
"PROCESS_ID": 2,
"THREADS": 1,
"USER_ID": 0,
"USER_NAME": "root",
"this": "d5c390887102d722103affc2659edfa2"
},
{
"FILE_PATH": "rcu_gp",
"PARENT_PROCESS_ID": 2,
"PROCESS_ID": 3,
"THREADS": 1,
"USER_ID": 0,
"USER_NAME": "root",
"this": "8d3273e9372fb4c521ecc95e659edfa2"
},
{
"FILE_PATH": "rcu_par_gp",
"PARENT_PROCESS_ID": 2,
"PROCESS_ID": 4,
"THREADS": 1,
"USER_ID": 0,
"USER_NAME": "root",
"this": "0612e8123f130c9fef3276c3659edfa2"
}
{ "..." : "..." }
]
}
OS_RESUME_REP
Response from an os_resume request.
Platforms:
OS_SERVICES_REP
Response from an os_services request.
Platforms:
Sample Event:
{
"SVCS": [
{
"PROCESS_ID": 0,
"SVC_TYPE": 32,
"DLL": "%SystemRoot%\\System32\\AJRouter.dll",
"SVC_NAME": "AJRouter",
"SVC_STATE": 1,
"HASH": "a09ae69c9de2f3765417f212453b6927c317a94801ae68fba6a8e8a7cb16ced7",
"SVC_DISPLAY_NAME": "AllJoyn Router Service",
"EXECUTABLE": "%SystemRoot%\\system32\\svchost.exe -k LocalService"
},
{
"PROCESS_ID": 0,
"SVC_TYPE": 16,
"SVC_NAME": "ALG",
"SVC_STATE": 1,
"HASH": "f61055d581745023939c741cab3370074d1416bb5a0be0bd47642d5a75669e12",
"SVC_DISPLAY_NAME": "Application Layer Gateway Service",
"EXECUTABLE": "%SystemRoot%\\System32\\alg.exe"
},
{ "..." : "..." }
]
}
OS_SUSPEND_REP
Response from an os_suspend request.
Platforms:
OS_USERS_REP
Response from an os_users request.
Platforms:
Sample Event:
{
"USERS": [
{
"ACCT_EXPIRES": 4294967295,
"CODE_PAGE": 0,
"COMMENT": "",
"COUNTRY_CODE": 0,
"FULL_NAME": "",
"HOME_DIR": "",
"LAST_LOGON": 1686711873,
"PASSWORD_AGE": 18225821,
"SCRIPT_PATH": "",
"SECURITY_ID": "S-1-5-21-910996669-4148394189-3692947099-500",
"USER_FLAGS": 4295033347,
"USER_NAME": "Administrator"
},
{
"ACCT_EXPIRES": 4294967295,
"CODE_PAGE": 0,
"COMMENT": "",
"COUNTRY_CODE": 0,
"FULL_NAME": "",
"HOME_DIR": "",
"LAST_LOGON": 0,
"PASSWORD_AGE": 0,
"SCRIPT_PATH": "",
"SECURITY_ID": "S-1-5-21-910996669-4148394189-3692947099-503",
"USER_FLAGS": 4295033379,
"USER_NAME": "DefaultAccount"
},
{
"ACCT_EXPIRES": 4294967295,
"CODE_PAGE": 0,
"COMMENT": "",
"COUNTRY_CODE": 0,
"FULL_NAME": "",
"HOME_DIR": "",
"LAST_LOGON": 0,
"PASSWORD_AGE": 0,
"SCRIPT_PATH": "",
"SECURITY_ID": "S-1-5-21-910996669-4148394189-3692947099-501",
"USER_FLAGS": 4295033443,
"USER_NAME": "Guest"
},
{ ... } , { ... }
]
}
OS_VERSION_REP
Response from an os_version request.
Platforms:
Sample Event:
{
"BUILD_NUMBER": 20348,
"FRIENDLY": {
"EDITION": "ServerDatacenter",
"PRODUCT": "Windows Server 2022 Datacenter",
"RELEASE": "2009"
},
"PRODUCT_TYPE": 3,
"SERVICE_PACK": {
"VERSION_MAJOR": 0,
"VERSION_MINOR": 0
},
"SUITE": 400,
"VERSION_MAJOR": 10,
"VERSION_MINOR": 0
}
Was this article helpful?