Process

unknown

taskmgr.exe

taskmgr.exe is Windows Task Manager, the built-in tool for viewing and managing running processes, performance, services, and startup items. Users and administrators open it constantly. Its relevance to security is that it can create a full memory dump of a process, which makes it a quiet way to dump credentials out of lsass.exe.

CategorySystemTagsmicrosoftcore-windows

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

taskmgr.exe is the interactive process and performance monitor. It lists running processes and their resource use, can end or restart them, and shows services, startup programs, and logged-on users. It runs as the user who launched it, on demand, from C:\Windows\System32\Taskmgr.exe. It is normally started by the user through Ctrl+Shift+Esc or the taskbar.

Legitimately, taskmgr is opened interactively to check on the system, so an instance parented to explorer.exe and running as the logged-on user is exactly what is expected. How it was started, and what an account does with it, are what give an instance meaning.

Security notes

taskmgr.exe is a built-in way to dump process memory (T1003.001). An operator with administrative rights can right-click lsass.exe in Task Manager and choose "Create dump file," producing a full memory dump that is then parsed offline to extract credentials, no third-party tool required. A lsass-named dump appearing in a temp or profile directory, especially around an interactive taskmgr session, is the pattern to catch.

Otherwise taskmgr is mostly a baseline. Its trusted name makes it an occasional impersonation target (T1036.005), so a taskmgr.exe outside System32, running as SYSTEM with no user present, or launched by a script host rather than the shell, is the deviation worth examining.

Anomaly signals5
  • Image path other than C:\Windows\System32\Taskmgr.exehigh
  • Running as NT AUTHORITY\SYSTEM with no interactive userhigh
  • Launched by a script host or a service process rather than explorer.exehigh
  • A process dump file (such as lsass.dmp) written around the time it runshigh
  • Unsigned image or a signer other than Microsofthigh

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof taskmgr.exe?
Edit this page on GitHub