Process Module command reference
The process module exposes utilities for inspecting, launching, and controlling processes directly from the mimikatz console. Each verb is invoked as process::<command> and may accept additional flags that tailor the action to a specific process or adjust the amount of detail that is returned. This guide documents every available command and explains why you would choose to supply each flag.
| Command | Purpose |
|---|---|
process::list |
Enumerate running processes, optionally including thread identifiers. |
process::exports |
List the exports of modules loaded in a target process. |
process::imports |
List the imports of modules loaded in a target process. |
process::start |
Launch a new process with a command line. |
process::stop |
Terminate a running process by PID. |
process::suspend |
Suspend a running process by PID. |
process::resume |
Resume a previously suspended process by PID. |
process::run |
Run a command line and capture its output. |
process::runp |
Start a process under a spoofed parent process. |
process::listUsage: process::list [/threads]
Enumerates every process returned by NtQuerySystemInformation, printing the PID and executable image name. If you supply any extra argument (for example /threads), the callback treats it as a boolean TRUE and prints the thread IDs for each process as well.【F:mimikatz/modules/kuhl_m_process.c†L25-L128】 Passing a flag is useful when you are investigating thread-level activity (e.g., to spot injected or suspicious threads) and need the thread identifiers without switching to another tool.
The name of the extra argument is not parsed—the presence of any additional flag toggles thread enumeration.
/threadsis suggested purely for readability.
process::exportsUsage: process::exports [/pid:<pid>]
Lists every module loaded in the current process by default, then enumerates and prints each exported entry (address, ordinal, hint, name, and redirection target).【F:mimikatz/modules/kuhl_m_process.c†L131-L200】 Use /pid:<pid> to inspect another process; the command opens the target with GENERIC_READ and walks its module list.【F:mimikatz/modules/kuhl_m_process.c†L141-L168】 You should provide /pid whenever you need to audit or reverse-engineer the exports of a different process—for example, to confirm that a DLL injects expected functions or to search for exported entry points in LSASS.
process::importsUsage: process::imports [/pid:<pid>]
Mirrors process::exports, but emits each imported function: the thunk address, resolved address, library, and either the function name or ordinal.【F:mimikatz/modules/kuhl_m_process.c†L202-L217】 Like exports, it defaults to the current process unless /pid:<pid> is provided, in which case it opens the remote process and inspects its PEB loader data.【F:mimikatz/modules/kuhl_m_process.c†L141-L168】 The /pid flag is essential when you need to understand which external APIs a target process depends on—information that can reveal injected modules, unusual import tables, or hooks.
process::startUsage: process::start <command line>
Starts a new process using the supplied command line and reports the new PID.【F:mimikatz/modules/kuhl_m_process.c†L30-L43】 No additional flags are parsed; simply pass the executable path (and optional arguments) as the final parameter. Use this command when you want to spawn a tool from within mimikatz without leaving the console—for example, launching cmd.exe or a diagnostic utility.
process::stopUsage: process::stop /pid:<pid>
Terminates the specified process by opening it with PROCESS_TERMINATE and calling NtTerminateProcess.【F:mimikatz/modules/kuhl_m_process.c†L60-L113】 The /pid flag is mandatory because the operation must target a specific process identifier; without it the command prints an error. Use this flag when you want to halt a malicious or orphaned process after identifying it by PID.
process::suspendUsage: process::suspend /pid:<pid>
Suspends the target process by PID using NtSuspendProcess.【F:mimikatz/modules/kuhl_m_process.c†L60-L113】 The /pid flag is required so that mimikatz can open the correct process with PROCESS_SUSPEND_RESUME rights. This flag is appropriate when you need to pause execution temporarily—for example, before dumping memory or while investigating suspicious behavior.
process::resumeUsage: process::resume /pid:<pid>
Resumes a previously suspended process by PID via NtResumeProcess.【F:mimikatz/modules/kuhl_m_process.c†L60-L113】 Supplying /pid is necessary to reference the suspended process handle. Use this flag to restore a process after inspection or to undo an accidental suspension.
process::runUsage: process::run <command line>
Runs the specified command line via CreateProcessAsUser, capturing stdout/stderr through an anonymous pipe and relaying the output back to the console.【F:mimikatz/modules/kuhl_m_process.c†L219-L275】 No flags are parsed; provide the command (with arguments) as the final parameter. This command is helpful when you want to execute another tool and immediately view its output inside mimikatz without opening a new console window.
process::runpUsage: process::runp [/run:<command line>] [/ppid:<pid> | /pid:<pid>] [/token]
Starts a new process while spoofing its parent process using extended startup information.【F:mimikatz/modules/kuhl_m_process.c†L278-L356】 Key flags:
/run:<command line> – Specifies the command line to launch. If omitted, the current mimikatz executable (_wpgmptr) is used by default.【F:mimikatz/modules/kuhl_m_process.c†L296-L307】 Provide this flag whenever you need to start a different executable than mimikatz itself./ppid:<pid> or /pid:<pid> – Sets the parent process to spoof. Without this flag, mimikatz automatically looks up lsass.exe and uses it as the parent, which is useful for many tradecraft scenarios but may require administrative rights.【F:mimikatz/modules/kuhl_m_process.c†L298-L305】 Supply /ppid (or /pid) to impersonate another parent, such as explorer.exe, when you want the new process to blend into a different process tree./token – Requests token details for the spawned process by toggling the full parameter of kuhl_m_token_displayAccount.【F:mimikatz/modules/kuhl_m_process.c†L329-L333】 Use this flag to verify the security context of the new process—particularly when checking that parent spoofing preserved (or changed) the token as expected.The command allocates an attribute list, attaches the selected parent process handle, and then creates the child process. If process creation succeeds, mimikatz prints the PID/TID and, optionally, the token information.【F:mimikatz/modules/kuhl_m_process.c†L317-L337】 These flags allow you to tailor the technique for different evasion or diagnostics scenarios.