Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed - Listing Processes and finding executable
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Listing Processes and finding executable
 Post Reply Post Reply Page  123>
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
eth8505 View Drop Down
Newbie
Newbie


Joined: 26 June 2006
Status: Offline
Points: 9 		Post Options Post Options   Thanks (0) Thanks(0)   Quote eth8505 Quote  Post ReplyReply Direct Link To This Post Topic: Listing Processes and finding executable
    Posted: 26 June 2006 at 10:17am
Hi everybody,

i am in a bit of trouble at the moment. I am trying to find the executable filename of a process. So far I have 2 implementations of it, one using PSLIB, the other using PROCESSENTRY32 struct. Both of these don't seem to give me the actual filename of the process when run without admin rights. I dont need the complete path, just the filename. (like services.exe).

I noticed Process Explorer shows the filename in normal user mode; maybe you can tell me your little secret before i freak? ;)

thanks
Jan
Back to Top
MP_ART View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 947 		Post Options Post Options   Thanks (0) Thanks(0)   Quote MP_ART Quote  Post ReplyReply Direct Link To This Post Posted: 26 June 2006 at 10:29am
Hi!

Process Explorer uses ZwQuerySystemInformation function.
All other user mode functions, like Process32First(Next) refers to it.
Back to Top
eth8505 View Drop Down
Newbie
Newbie


Joined: 26 June 2006
Status: Offline
Points: 9 		Post Options Post Options   Thanks (0) Thanks(0)   Quote eth8505 Quote  Post ReplyReply Direct Link To This Post Posted: 26 June 2006 at 10:35am
Is there maybe some kind of nice example on how to use that properly? I am not _that_ versed in C/C++ or most of the win32 api as I mainly program Java. I have to write an interface for process monitoring now though.
Back to Top
MP_ART View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 947 		Post Options Post Options   Thanks (0) Thanks(0)   Quote MP_ART Quote  Post ReplyReply Direct Link To This Post Posted: 26 June 2006 at 10:44am
you can simple >google< about it. you'll find a TONS of info. But it generally for C++/Delphi. And you MUST to use win32 or NTnative function calls to get processes information, to avoid stupid bugs.

Edited by MP_ART - 26 June 2006 at 10:44am
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 4753 		Post Options Post Options   Thanks (0) Thanks(0)   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 26 June 2006 at 11:07am
@eth8505: Use PSAPI. Go to http://www.msdn.com, MS have examples for this.

Like this: 

Task Manager is an example of a program that enumerates all running processes. It is implemented using data from the performance registry. The following sample code uses the EnumProcesses function to enumerate the current processes in the system. This method is easier than using the performance registry.







#include <windows.h>

#include <stdio.h>

#include <tchar.h>

#include "psapi.h"



void PrintProcessNameAndID( DWORD processID )

{

    TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");



    // Get a handle to the process.



    HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |

                                       PROCESS_VM_READ,
 
                                       FALSE,  processID );



    // Get the process name.



    if (NULL != hProcess )

    {

        HMODULE hMod;

        DWORD cbNeeded;



        if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), 

               &cbNeeded) )

        {

              GetModuleBaseName( hProcess, hMod, szProcessName, 

                                   sizeof(szProcessName)/sizeof(TCHAR)  );

        }

    }



    // Print the process name and identifier.



    _tprintf( TEXT("%s  (PID: %u)\n"), szProcessName, processID );



    CloseHandle( hProcess );

}



void main( )

{

    // Get the list of process identifiers.



    DWORD aProcesses[1024], cbNeeded, cProcesses;

    unsigned int i;



    if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )

        return;



    // Calculate how many process identifiers were returned.



    cProcesses = cbNeeded / sizeof(DWORD);



    // Print the name and process identifier for each process.



    for ( i = 0; i < cProcesses; i++ )

        PrintProcessNameAndID( aProcesses );

}


HTH
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 4753 		Post Options Post Options   Thanks (0) Thanks(0)   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 26 June 2006 at 11:15am
One more: Most comprehensive method -> use driver EPROCESS list and so on... but AIG is not for eth8505, need simple solution.

p.s. Don't forget to adjust SeDebugPrivilege for opening system processes.

p.p.s. Also exists WMI solutions

Edited by EP_X0FF - 26 June 2006 at 11:16am
Back to Top
eth8505 View Drop Down
Newbie
Newbie


Joined: 26 June 2006
Status: Offline
Points: 9 		Post Options Post Options   Thanks (0) Thanks(0)   Quote eth8505 Quote  Post ReplyReply Direct Link To This Post Posted: 27 June 2006 at 2:08am
My problem is that the process enumeration must work with very very little privileges. I cannot force our software users to set SeDebugPrivilege for the sys processes. 
Back to Top
MP_ART View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 947 		Post Options Post Options   Thanks (0) Thanks(0)   Quote MP_ART Quote  Post ReplyReply Direct Link To This Post Posted: 27 June 2006 at 2:24am
Originally posted by eth8505 eth8505 wrote:

My problem is that the process enumeration must work with very very little privileges. I cannot force our software users to set SeDebugPrivilege for the sys processes. 

EP_X0FF's PSAPI example works even on Guest privilegde level.
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 4753 		Post Options Post Options   Thanks (0) Thanks(0)   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 27 June 2006 at 2:34am
Originally posted by eth8505 eth8505 wrote:

My problem is that the process enumeration must work with very very little privileges. I cannot force our software users to set SeDebugPrivilege for the sys processes. 

It is you must set this privilege in code not users!
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 4753 		Post Options Post Options   Thanks (0) Thanks(0)   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 27 June 2006 at 3:32am
If you don't know how to do this, here Napalm's code 

void EnableDebugPrivilege() 

{ 

     HANDLE hToken; 

     TOKEN_PRIVILEGES tokenPriv; 

     LUID luidDebug; 

       if(OpenProcessToke n(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) { 

                  if(LookupPrivilegeValue(NULL,   SE_DEBUG_NAME , &luidDebug)) 

                 { 

                      tokenPriv.PrivilegeCount   = 1; 

                      tokenPriv.Privileges [0].Luid = luidDebug; 

                      tokenP riv.Privileges [0].Attributes = SE_PRIVILEGE_ENABLED; 

                      Adjust TokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(tokenPriv), NULL, NULL); 

                 } 

     } 

}
Back to Top
 Post Reply Post Reply Page  123>
  Share Topic   

Forum Jump Forum Permissions View Drop Down