Process Explorer如何枚举XP Guest帐户中的所有进程名称?
[英]How does Process Explorer enumerate all process names from an XP Guest account?
问题描述
I'm attempting to enumerate all running process EXE names, and have stumbled when attempting this on the XP Guest account. 
我正在尝试枚举所有正在运行的进程EXE名称,并且在XP Guest帐户上尝试执行此操作时迷迷糊糊。 I am able to enumerate all Process IDs using EnumProcesses, but when I attempt OpenProcess with PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, the function fails. 我可以使用EnumProcesses枚举所有进程ID,但是当我尝试使用PROCESS_QUERY_INFORMATION或PROCESS_VM_READ进行OpenProcess时,函数将失败。
I fired up Process Explorer under the XP Guest account, and it was able to enumerate all process names (though as expected, most other information from processes outside the Guest user-space was not present). 我用XP Guest帐户启动了Process Explorer,它能够枚举所有进程名称(尽管不出所料,不存在来自Guest用户空间之外的其他大多数信息)。
So, my question is, how can I duplicate the Process Explorer magic to get the process names of services and other processes running outside the Guest account user-space? 因此,我的问题是,我该如何复制Process Explorer的魔力来获取来宾帐户用户空间之外运行的服务和其他进程的进程名称?
4 个解决方案
解决方案1
3 已采纳 2011-01-15 20:24:22
I suppose that the Process Explorer use NtQuerySystemInformation with parameter SystemProcessInformation to get the list of processes. 我想Process Explorer使用带有参数SystemProcessInformation NtQuerySystemInformation来获取进程列表。 For the code example see my old answer . 有关代码示例,请参阅我的旧答案 。 Additionally the function NtQueryInformationProcess will be used to get additional information. 另外,函数NtQueryInformationProcess将用于获取其他信息。
By the way, if you start Process Explorer under Dependency Walker (menu "Profile" / "Start Profiling" or F7 ) then you will see all functions which Process Explorer really use from NTDLL.DLL. 顺便说一句,如果您在Dependency Walker下启动Process Explorer(菜单“ Profile” /“ Start Profiling”或F7 ),那么您将从NTDLL.DLL中看到Process Explorer真正使用的所有功能。 You can see that NtQuerySystemInformation and NtQueryInformationProcess will be really used. 您可以看到NtQuerySystemInformation和NtQueryInformationProcess将被真正使用。
解决方案2
1 2011-01-15 21:04:38
NtQuerySystemInformation几乎没有记录,并且“在将来的Windows版本中可能会更改或不可用”, CreateToolhelp32Snapshot已得到充分记录,并应为您提供映像名称。
解决方案3
0 2011-01-15 18:02:23
When a process starts, it is assigned a basic set of access privileges. 进程启动时,将为其分配一组基本的访问权限。 Certain API calls require additional privileges to complete successfully. 某些API调用需要其他特权才能成功完成。 Specifically, OpenProcess can require the SeDebugPrivilege privilege in certain cases. 具体来说,在某些情况下, OpenProcess可能需要SeDebugPrivilege特权。 You can find an example of how to modify your process token to enable additional privileges here: Enabling and Disabling Privileges in C++ . 您可以在此处找到有关如何修改流程令牌以启用其他特权的示例: 在C ++中启用和禁用特权 。
解决方案4
0 2011-01-15 21:38:54
GetProcessImageFileName only needs PROCESS_QUERY_LIMITED_INFORMATION starting with Vista, but on XP it does need PROCESS_QUERY_INFORMATION. 从Vista开始, GetProcessImageFileName仅需要PROCESS_QUERY_LIMITED_INFORMATION,但在XP上则需要PROCESS_QUERY_INFORMATION。
You shouldn't need, and definitely shouldn't be able to get from a guest account, PROCESS_VM_READ. 您不需要,也绝对不能从访客帐户PROCESS_VM_READ获取。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.