zgrp
asked on
Process Snapshot lock + Get most info from a proccess...
Hi all EE experts,
I have serie of question related to process that I belive is a doubt to many Windows Developers. I expect that some of you advanced Windows Programmers can help :)
Source code examples are very appreciated and must be in C! :)
1 - In general when we want to list process and it filename in a Windows machine we use CreateToolhelp32Snapshot() + Process32First() + Process32Next(), more or less like that:
void ListProc(){
HANDLE hSnapshot=CreateToolhelp32 Snapshot(T H32CS_PROC ESS,0);
if (hSnapshot==-1){
printf("Failed create snapshot...");
exit(1);
}
PROCESSENTRY32 pe;
pe.dwSize=sizeof(PROCESSEN TRY32);
BOOL retval=Process32First(hSna pshot,&pe) ;
while(retval){
printf("Process ID : %08X belongs to %s\n",pe.th32ProcessID, pe.szExeFile);
pe.dwSize=sizeof(PROCESSEN TRY32);
retval=Process32Next(hSnap shot,&pe);
}
CloseHandle(hSnapshot);
}
So, how can I "lock/Suspend" the process creation and deletion while I do some stuff? Example:
ListProc();
LockProcessCreationAndDele tion();
MakeSomeStuff();
ListProc();
UnlockProcessCreationAndDe letion();
How can it be done?
2 - I were asking how to obtain a list of threads and modules from a process, however I found some useful examples into web, other developers that want learn it, check:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/traversing_the_thread_list.asp ( List Threads of a process).
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/perfmon/base/traversing_the_module_list.asp ( List Modules of a Process).
http://www.codeproject.com/threads/processapi.asp (Intersting resource).
I yet found:
- If you want to close a program send a sendmessage() with WM_CLOSE.
- If you want to close a thread:
OpenThread()
TerminateThread()
CloseHandle()
Question 2 replyed by myself, so points to me... hehehe (just joking).
3 - How can list all files that process have opened? I seen it use NtQuerySystemInformation() appear that the trick is into SystemHandleInformation, I found some examples here but all in C++ and it's a litlle confuse for me. Can someone point me a example (can be just a funcion like: ListFilesByProc(DWORD dwPID) in C ? And preferable translating the names from Hardfisk0\Partition1\direc tory\FileE xample.txt to letters assigned by Windows, like c:\\directory\FileExample. txt (this I couldn't find into Google) :)
4 - Supoose I want list programs executed by other programs, for example, suposse a program called test.exe call calc.exe, I could create a process snapshot and walk thought it and check if the struct PROCESSENTRY32 have the field th32ParentProcessID not NULL, and consequentilly know if it's called by other program or not. My doubt is, it's the best way I can do it? Or exist some own API into Windows or something better to enumerate process executed by a process? :)
5 - Exist a program called CurrPorts (http://www.nirsoft.net/utils/cports.html), it enumerate all ports that a process is using, for example if it's listen in port X, and connectint to port Y with host XZ into remote port VX, etc. How this data can be extracted from a process?
6 - If we just have a PID, how can us get a PROCESSENTRY32 structure of this process or similar to list it filename on disk, threads, modules, other information in asked in this thread? :)
Thank you and all help is appreciated.
Regards
I have serie of question related to process that I belive is a doubt to many Windows Developers. I expect that some of you advanced Windows Programmers can help :)
Source code examples are very appreciated and must be in C! :)
1 - In general when we want to list process and it filename in a Windows machine we use CreateToolhelp32Snapshot()
void ListProc(){
HANDLE hSnapshot=CreateToolhelp32
if (hSnapshot==-1){
printf("Failed create snapshot...");
exit(1);
}
PROCESSENTRY32 pe;
pe.dwSize=sizeof(PROCESSEN
BOOL retval=Process32First(hSna
while(retval){
printf("Process ID : %08X belongs to %s\n",pe.th32ProcessID, pe.szExeFile);
pe.dwSize=sizeof(PROCESSEN
retval=Process32Next(hSnap
}
CloseHandle(hSnapshot);
}
So, how can I "lock/Suspend" the process creation and deletion while I do some stuff? Example:
ListProc();
LockProcessCreationAndDele
MakeSomeStuff();
ListProc();
UnlockProcessCreationAndDe
How can it be done?
2 - I were asking how to obtain a list of threads and modules from a process, however I found some useful examples into web, other developers that want learn it, check:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/traversing_the_thread_list.asp ( List Threads of a process).
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/perfmon/base/traversing_the_module_list.asp ( List Modules of a Process).
http://www.codeproject.com/threads/processapi.asp (Intersting resource).
I yet found:
- If you want to close a program send a sendmessage() with WM_CLOSE.
- If you want to close a thread:
OpenThread()
TerminateThread()
CloseHandle()
Question 2 replyed by myself, so points to me... hehehe (just joking).
3 - How can list all files that process have opened? I seen it use NtQuerySystemInformation()
4 - Supoose I want list programs executed by other programs, for example, suposse a program called test.exe call calc.exe, I could create a process snapshot and walk thought it and check if the struct PROCESSENTRY32 have the field th32ParentProcessID not NULL, and consequentilly know if it's called by other program or not. My doubt is, it's the best way I can do it? Or exist some own API into Windows or something better to enumerate process executed by a process? :)
5 - Exist a program called CurrPorts (http://www.nirsoft.net/utils/cports.html), it enumerate all ports that a process is using, for example if it's listen in port X, and connectint to port Y with host XZ into remote port VX, etc. How this data can be extracted from a process?
6 - If we just have a PID, how can us get a PROCESSENTRY32 structure of this process or similar to list it filename on disk, threads, modules, other information in asked in this thread? :)
Thank you and all help is appreciated.
Regards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi mahesh1402,
Thanks for reply...
>Have a look here :
>http://www.codeproject.com/threads/ParentPID.asp <== Get Parent Process PID
>http://www.codeguru.com/cpp/w-p/win32/article.php/c1437/ <==
I want to obtain information from a process based in a PID. For example I have a PID and what to get it's PROCESSENTRY32 structure. Not the parent PI information.
>>>3 - How can list all files that process have opened?
>Call CreateToolhelp32Snapshot with TH32CS_SNAPPROCESS flag. Then, enumerate >processes with Process32First / ProcessNext until you'll find your PID.
Please read again my post. This code you provided is basic the same I spoken in my first post, it will locate modules (like .dll loaded by the program) and not opened files, like c:\AfileAProgramOpened.txt , etc...
>This one will be useful to kill Process by 'NAME' : >http://www.codeproject.com/threads/killprocess.asp <==
I know how to list process and kill it, but my question is if is possible lock the creation and deletion of process by sometime...
Thank you,
Cheers
Thanks for reply...
>Have a look here :
>http://www.codeproject.com/threads/ParentPID.asp <== Get Parent Process PID
>http://www.codeguru.com/cpp/w-p/win32/article.php/c1437/ <==
I want to obtain information from a process based in a PID. For example I have a PID and what to get it's PROCESSENTRY32 structure. Not the parent PI information.
>>>3 - How can list all files that process have opened?
>Call CreateToolhelp32Snapshot with TH32CS_SNAPPROCESS flag. Then, enumerate >processes with Process32First / ProcessNext until you'll find your PID.
Please read again my post. This code you provided is basic the same I spoken in my first post, it will locate modules (like .dll loaded by the program) and not opened files, like c:\AfileAProgramOpened.txt
>This one will be useful to kill Process by 'NAME' : >http://www.codeproject.com/threads/killprocess.asp <==
I know how to list process and kill it, but my question is if is possible lock the creation and deletion of process by sometime...
Thank you,
Cheers
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi mxjijo,
Thanks for reply.
I were not wanting to use hooks, because it can cause some problems and worst some AntiVirus and Intrusion Prevention System detect it as evil programs... :(
Anyway, to lock creation and deletion I yet would need to hook TerminateProcess(), SendMessage() with WM_CLOSE, etc... very bad to be implemented in a stable software... :(
Any other idea (Microsoft API to do it)?
ps: Anyway your help is appreciated, I will point some extra points to you (however I need learn how to make it first... hehee)...
Thank you,
Regards,
Thanks for reply.
I were not wanting to use hooks, because it can cause some problems and worst some AntiVirus and Intrusion Prevention System detect it as evil programs... :(
Anyway, to lock creation and deletion I yet would need to hook TerminateProcess(), SendMessage() with WM_CLOSE, etc... very bad to be implemented in a stable software... :(
Any other idea (Microsoft API to do it)?
ps: Anyway your help is appreciated, I will point some extra points to you (however I need learn how to make it first... hehee)...
Thank you,
Regards,
ASKER
Any EE yet alive and with a sugestion? :)
>> I were not wanting to use hooks, because it can cause some problems and worst some
>> AntiVirus and Intrusion Prevention System detect it as evil programs... :(
I have never tried this (so I am not saying you should try this either :),
but you may be able to get around those IDS warnings. You should load your hook driver
before IDS driver loads. That way IDS will not know your driver's presence.
>>Anyway, to lock creation and deletion I yet would need to hook TerminateProcess(), SendMessage()
>> with WM_CLOSE, etc... very bad to be implemented in a stable software... :(
Hooking process deletion doesn't make lot of sense. There are so many ways a process can die - including crash.
Take a look at http://www.diamondcs.com.au/freeutilities/apt-techniques.php.
AFAIK any non-embedded OS's would provide an option for a 3rd party software to control the process death.
You can monitor, but you cannot control.
You mind telling us what exactly are you trying to achieve ? May be there is a better way to do it.
This one will be useful to kill Process by 'NAME' : http://www.codeproject.com/threads/killprocess.asp <==
>>3 - How can list all files that process have opened?
To get extended info about processes such as Parent Process ID, Process ID,Name,Current Threads,Current Usage,Flags,Size,Primary Class Base,Default Heap ID,Module ID etc. following may useful
http://www.codeproject.com/threads/processes.asp <===
-MAHESH