[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Process Snapshot lock + Get most info from a proccess...

Posted on 2006-05-22
10
Medium Priority
?
1,412 Views
Last Modified: 2013-12-03
Hi all EE experts,

I have serie of question related to process that I belive is a doubt to many Windows Developers. I expect that some of you advanced Windows Programmers can help :)

Source code examples are very appreciated and must be in C! :)

1 - In general when we want to list process and it filename in a Windows machine we use CreateToolhelp32Snapshot() + Process32First() + Process32Next(), more or less like that:

void ListProc(){

HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_PROCESS,0);

if (hSnapshot==-1){
  printf("Failed create snapshot...");
  exit(1);
 }

PROCESSENTRY32 pe;
pe.dwSize=sizeof(PROCESSENTRY32);

BOOL retval=Process32First(hSnapshot,&pe);
while(retval){

  printf("Process ID : %08X belongs to %s\n",pe.th32ProcessID, pe.szExeFile);
  pe.dwSize=sizeof(PROCESSENTRY32);
  retval=Process32Next(hSnapshot,&pe);

 }

CloseHandle(hSnapshot);
}

So, how can I "lock/Suspend" the process creation and deletion while I do some stuff? Example:

ListProc();
LockProcessCreationAndDeletion();
MakeSomeStuff();
ListProc();
UnlockProcessCreationAndDeletion();

How can it be done?

2 - I were asking how to obtain a list of threads and modules from a process, however I found some useful examples into web, other developers that want learn it, check:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/traversing_the_thread_list.asp   ( List Threads of a process).

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/perfmon/base/traversing_the_module_list.asp   ( List Modules of a Process).

http://www.codeproject.com/threads/processapi.asp   (Intersting resource).

I yet found:

- If you want to close a program send a sendmessage() with WM_CLOSE.
- If you want to close a thread:
OpenThread()
TerminateThread()
CloseHandle()

Question 2 replyed by myself, so points to me... hehehe (just joking).

3 - How can list all files that process have opened? I seen it use NtQuerySystemInformation() appear that the trick is into SystemHandleInformation, I found some examples here but all in C++ and it's a litlle confuse for me. Can someone point me a example (can be just a funcion like: ListFilesByProc(DWORD dwPID) in C ? And preferable translating the names from Hardfisk0\Partition1\directory\FileExample.txt to letters assigned by Windows, like c:\\directory\FileExample.txt (this I couldn't find into Google) :)

4 - Supoose I want list programs executed by other programs, for example, suposse a program called test.exe call calc.exe, I could create a process snapshot and walk thought it and check if the struct PROCESSENTRY32 have the field  th32ParentProcessID not NULL, and consequentilly know if it's called by other program or not. My doubt is, it's the best way I can do it? Or exist some own API into Windows or something better to enumerate process executed by a process? :)

5 - Exist a program called CurrPorts (http://www.nirsoft.net/utils/cports.html), it enumerate all ports that a process is using, for example if it's listen in port X, and connectint to port Y with host XZ into remote port VX, etc. How this data can be extracted from a process?

6 - If we just have a PID, how can us get a PROCESSENTRY32 structure of this process or similar to list it filename on disk, threads, modules, other information in asked in this thread? :)

Thank you and all help is appreciated.

Regards
0
Comment
Question by:zgrp
  • 3
  • 2
  • 2
7 Comments
 
LVL 22

Accepted Solution

by:
mahesh1402 earned 1000 total points
ID: 16734820
>>4 - Supoose I want list programs executed by other programs
>>6 - If we just have a PID, how can us get a PROCESSENTRY32 structure of this process or similar to list it filename on disk

Have a look here :
http://www.codeproject.com/threads/ParentPID.asp <== Get Parent Process PID
http://www.codeguru.com/cpp/w-p/win32/article.php/c1437/ <==


>>3 - How can list all files that process have opened?

Call CreateToolhelp32Snapshot with TH32CS_SNAPPROCESS flag. Then, enumerate processes with Process32First / ProcessNext until you'll find your PID.

To get full process path from pid, code will be something like this :

        BOOL  bGotModule = FALSE;
        MODULEENTRY32 me32       = {0};
        PINFO         pi         = {0};
            bGotModule = GetProcessModule(ProcessID, pe32.th32ModuleID, &me32, sizeof(MODULEENTRY32));

        if (bGotModule)
            MessageBox(NULL,me32.szExePath,"Process Full Path",MB_OK);

BOOL GetProcessModule (DWORD dwPID, DWORD dwModuleID,LPMODULEENTRY32 lpMe32, DWORD cbMe32)
{
    BOOL          bRet        = FALSE;
    BOOL          bFound      = FALSE;
    HANDLE        hModuleSnap = NULL;
    MODULEENTRY32 me32        = {0};

    // Take a snapshot of all modules in the specified process.
    hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
    if (hModuleSnap == (HANDLE)-1)

        return (FALSE);

    // Fill the size of the structure before using it.
    me32.dwSize = sizeof(MODULEENTRY32);

    // Walk the module list of the process, and find the module of
    // interest. Then copy the information to the buffer pointed
    // to by lpMe32 so that it can be returned to the caller.
    if (Module32First(hModuleSnap, &me32)) {
        do {
            if (me32.th32ModuleID == dwModuleID) {
                CopyMemory (lpMe32, &me32, cbMe32);
                bFound = TRUE;
            }
        }
        while (!bFound && Module32Next(hModuleSnap, &me32));

        bRet = bFound;   // if this sets bRet to FALSE, dwModuleID
                         // no longer exists in specified process
    }
    else
        bRet = FALSE;           // could not walk module list

    // Do not forget to clean up the snapshot object.
    CloseHandle (hModuleSnap);

    return (bRet);
}

Hope  this helps.

-MAHESH
0
 
LVL 22

Expert Comment

by:mahesh1402
ID: 16734905
>>So, how can I "lock/Suspend" the process creation and deletion while I do some stuff? Example:

This one will be useful to kill Process by 'NAME' : http://www.codeproject.com/threads/killprocess.asp <==

>>3 - How can list all files that process have opened?

To get extended info about processes such as Parent Process ID, Process ID,Name,Current Threads,Current Usage,Flags,Size,Primary Class Base,Default Heap ID,Module ID etc. following may useful

http://www.codeproject.com/threads/processes.asp <===

-MAHESH
0
 
LVL 3

Author Comment

by:zgrp
ID: 16737100
Hi mahesh1402,

Thanks for reply...

>Have a look here :
>http://www.codeproject.com/threads/ParentPID.asp <== Get Parent Process PID
>http://www.codeguru.com/cpp/w-p/win32/article.php/c1437/ <==

I want to obtain information from a process based in a PID. For example I have a PID and what to get it's PROCESSENTRY32 structure. Not the parent PI information.

>>>3 - How can list all files that process have opened?
>Call CreateToolhelp32Snapshot with TH32CS_SNAPPROCESS flag. Then, enumerate >processes with Process32First / ProcessNext until you'll find your PID.

Please read again my post. This code you provided is basic the same I spoken in my first post, it will locate modules (like .dll loaded by the program) and not opened files, like c:\AfileAProgramOpened.txt, etc...

>This one will be useful to kill Process by 'NAME' : >http://www.codeproject.com/threads/killprocess.asp <==

I know how to list process and kill it, but my question is if is possible lock the creation and deletion of process by sometime...

Thank you,

Cheers
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 8

Assisted Solution

by:mxjijo
mxjijo earned 1000 total points
ID: 16738108

>> if is possible lock the creation and deletion of process by sometime ??
    Yes, but unfortunately there are not straightfoward methods to do that.
You need to install a system-wide hook for CreateProcess() just like any other system-wide hooks.

Take a look at:
http://www.codeproject.com/system/soviet_protector.asp

Just a friendly reminder: using native API for professional product developmet is not a good idea.
Also you need special privilages to kill other proceses. Please let us know if u need help with that.

-j
0
 
LVL 3

Author Comment

by:zgrp
ID: 16738774
Hi mxjijo,

Thanks for reply.

I were not wanting to use hooks, because it can cause some problems and worst some AntiVirus and Intrusion Prevention System detect it as evil programs... :(

Anyway, to lock creation and deletion I yet would need to hook TerminateProcess(), SendMessage() with WM_CLOSE, etc... very bad to be implemented in a stable software... :(

Any other idea (Microsoft API to do it)?

ps: Anyway your help is appreciated, I will point some extra points to you (however I need learn how to make it first... hehee)...

Thank you,

Regards,
0
 
LVL 3

Author Comment

by:zgrp
ID: 16885407
Any EE yet alive and with a sugestion? :)
0
 
LVL 8

Expert Comment

by:mxjijo
ID: 16887517

>> I were not wanting to use hooks, because it can cause some problems and worst some
>> AntiVirus and Intrusion Prevention System detect it as evil programs... :(
     I have never tried this (so I am not saying you should try this either :),
but you may be able to get around those IDS warnings. You should load your hook driver
before IDS driver loads. That way IDS will not know your driver's presence.

>>Anyway, to lock creation and deletion I yet would need to hook TerminateProcess(), SendMessage()
>> with WM_CLOSE, etc... very bad to be implemented in a stable software... :(
     Hooking process deletion doesn't make lot of sense. There are so many ways a process can die - including crash.
Take a look at http://www.diamondcs.com.au/freeutilities/apt-techniques.php.
AFAIK any non-embedded OS's would provide an option for a 3rd party software to control the process death.
You can monitor, but you cannot control.

You mind telling us what exactly are you trying to achieve ? May be there is a better way to do it.

0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to add a user-defined command button to the Windows 7 Explorer toolbar.  In the previous article (http://www.experts-exchange.com/A_2172.html), we saw how to put the Delete button back there where it belongs.  "Delete" is …
After several hours of googling I could not gather any information on this topic. There are several ways of controlling the USB port connected to any storage device. The best example of that is by changing the registry value of "HKEY_LOCAL_MACHINE\S…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question