You could also run strings on the address space of csrss.exe and grep for “cmd.exe”. Not as elegant, but it works.
@williballenthin
You could also run strings on the address space of csrss.exe and grep for “cmd.exe”. Not as elegant, but it works.