PipeViewer icon indicating copy to clipboard operation
PipeViewer copied to clipboard
verified publisher icon cyberark

Add pipe server process name

Open cookpoo78 opened this issue 1 year ago • 3 comments

Great project! thank you guys <3 I think that having the server process name will be super helpful!

cookpoo78 avatar Nov 12 '24 13:11 cookpoo78

Hi @cookpoo78 , thank you :)

Identifying the server process that created a named pipe can be tricky, as there isn't a straightforward place where this information is directly logged or stored.
We have the "Client PIDs" which shows who is using this pipe. This is not the best option, but it can give you a hint who created it.

I had an idea, maybe we can check that the timestamp of the handles and see when it was opened for the first time but from a quick check I saw that Windows doesn't natively track the creation timestamps of handles for named pipes.
I will check if there is other option that I am missing.

g3rzi avatar Nov 12 '24 14:11 g3rzi

There are two tools that can show you who created the named pipe but not the ones that are already created:

  • IONinja
  • NamePipeMaster - I didn't verify it, but based on its operation it seems that it should have this information.

g3rzi avatar Nov 12 '24 14:11 g3rzi

@g3rzi Thanks for the detailed response, appreciate it :)

cookpoo78 avatar Nov 13 '24 06:11 cookpoo78