stackoom
  简体   繁体   中英

How does Process Explorer enumerate all process names from an XP Guest account?

 原文  2011-01-15 17:43:49       c++/ windows/ winapi/ vb6/ process

Question

I'm attempting to enumerate all running process EXE names, and have stumbled when attempting this on the XP Guest account. I am able to enumerate all Process IDs using EnumProcesses, but when I attempt OpenProcess with PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, the function fails.

I fired up Process Explorer under the XP Guest account, and it was able to enumerate all process names (though as expected, most other information from processes outside the Guest user-space was not present).

So, my question is, how can I duplicate the Process Explorer magic to get the process names of services and other processes running outside the Guest account user-space?

4 answers

solution1
 3 ACCPTED  2011-01-15 20:24:22

I suppose that the Process Explorer use NtQuerySystemInformation with parameter SystemProcessInformation to get the list of processes. For the code example see my old answer . Additionally the function NtQueryInformationProcess will be used to get additional information.

By the way, if you start Process Explorer under Dependency Walker (menu "Profile" / "Start Profiling" or F7 ) then you will see all functions which Process Explorer really use from NTDLL.DLL. You can see that NtQuerySystemInformation and NtQueryInformationProcess will be really used.

solution2
 1  2011-01-15 21:04:38

NtQuerySystemInformation几乎没有记录,并且“在将来的Windows版本中可能会更改或不可用”, CreateToolhelp32Snapshot已得到充分记录,并应为您提供映像名称。

solution3
 0  2011-01-15 18:02:23

When a process starts, it is assigned a basic set of access privileges. Certain API calls require additional privileges to complete successfully. Specifically, OpenProcess can require the SeDebugPrivilege privilege in certain cases. You can find an example of how to modify your process token to enable additional privileges here: Enabling and Disabling Privileges in C++ .

solution4
 0  2011-01-15 21:38:54

GetProcessImageFileName only needs PROCESS_QUERY_LIMITED_INFORMATION starting with Vista, but on XP it does need PROCESS_QUERY_INFORMATION.

You shouldn't need, and definitely shouldn't be able to get from a guest account, PROCESS_VM_READ.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to Enumerate Names of All Named Pipes in a Process? How does the draggable crosshair in Process Explorer work? How can I enumerate/list all installed applications in Windows XP? How to Copy the Environment Variables from Sysinternal's Process Explorer Which winapi function does the Process Explorer use to suspend process? How to send a signal to all process from child process? Why does simple glfw program eat all the available cpu even though progam is idle (according to process explorer)? how to start separate process under system account from a windows service? Does fragment shader process all pixels from vertex shader? Prevent user process from being killed with “End Process” from Process Explorer
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM