View Processes Currently Protected by Traps Using Cytool

To view processes that Traps is currently injected into, run the enum command using Cytool or view the Protection tab on the Traps Console (see View Processes Currently Protected by Traps). On Windows endpoints, the Traps Console and Cytool display only the processes run by the current user. To view processes run by all users and processes initiated by the operating system, specify the /a option. This option is not required on Mac endpoints.
Viewing protected processes run by all users requires you to enter the supervisor (uninstall) password.
  1. Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool).
  2. View processes initiated by the current user by entering the cytool enum command. To view processes for all users including those initiated by the operating system, specify the /a option, and enter the supervisor password when prompted.
    Windows:
    c:\Program Files\Palo Alto Networks\Traps>cytool /a enum
    Enter supervisor password:
    Process ID Agent Version
    1000 3.1.1546
    1468 3.1.1546
    452 3.1.1546
    [...]
    Mac:
    You must enable remote process calls (RPCs) before you can run this command. See Enable or Disable RPC Services.
    PANM2637HQ:bin jdoe$ sudo ./cytool enum
    List of protected processes:
                      Process name                    Process ID                          User
              Google Chrome Helper                          5469                          jdoe
              Google Chrome Helper                          5473                          jdoe
              Google Chrome Helper                          5491                          jdoe
                            Photos                          5599                          jdoe
          com.apple.SafariServices                          5763                          jdoe
       com.apple.WebKit.WebContent                          5783                          jdoe
    

Related Documentation