[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

NTVDM and Process Explorer

Posted on 2007-07-24
9
Medium Priority
?
317 Views
Last Modified: 2013-12-03
Can anyone help me understand how to read NTVDM.exe in Process Explorer? I'm trying to see the command that was sent to NTVDM.exe and any handles or Dlls but I cannot see anything. Why is NTVDM protected?

Thanks for any info!
0
Comment
Question by:Delta526
  • 3
  • 3
  • 3
9 Comments
 
LVL 22

Expert Comment

by:mahesh1402
ID: 19563011
I think you need to use VDMEnumProcessWOW API from VDMDBG.dll, which enumerates all of the VDMs in the system that is, each instance of NTVDM.EXE. For each VDM, the API invokes a callback function that you define. The primary parameter to the callback function is the process ID for the particular instance of NTVDM.EXE.

Look at this MSJ article with src :
http://www.microsoft.com/msj/0898/hood0898.aspx

Also:
http://www.winterdom.com/dev/ptk/16bitproc.html

About how to use VDMEnumProcessWOW look :
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q182559&ID=KB;EN-US;Q182559

Hope this helps
-MAHESH
0
 

Author Comment

by:Delta526
ID: 19563023
This sounds good let me read for a moment.
0
 
LVL 32

Expert Comment

by:r-k
ID: 19563042
I am not quite sure what you mean. When I run a 16-bit program and then run Process Explorer, and click once on ntvdm.exe it gives a fair amount of information in the lower window, including the name of the 16-bit executable, the dll's in use, plus a lot more.

Of course the 16-bit program has to be running at the time.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:Delta526
ID: 19571229
r-k,

You say you can see the name of the 16-bit executable? I must be lookingin the wrong place or I am not understanding process explorer. I'm seeing ntvdm but not what ntvdm is doing. The application I am trying to watch is a third party application launcher that launches 16 bit applications. What I want to do is see the command string that this application launcher used to start ntvdm. The reason I want to see these strings is because I want to launch these 16 bit applications from the command line. I might add that some of the applications in the launcher are 32bit apps and process explorer showed me the start-up string and I am using it to start the apps. It is the 16bit applications that the launcher starts into ntvdm that don't show in process explorer. when a 16bit app is launched, the process explorer just shows ntvdm starting with no information about how it was started. Hmmm, any ideas??
0
 
LVL 32

Expert Comment

by:r-k
ID: 19571422
Did you try (in Process Explorer from menu bar):

 View -> Show Lower pane

then click once on NTVDM in the process list in the upper pane.

My version of Process Explorer is a bit old (v9.25) so there might be some differences. The executable names shows as the only .exe File in use by NTVDM in the lower pane.

This may not be enough to show the entire command line, however.
0
 
LVL 22

Expert Comment

by:mahesh1402
ID: 19574886
That way you will be able to see handles and threadids..

As I said above the only way to enumerate 16 bit processes under NTVDM is through the Virtual DOS Machine Debug API (VDMDBG.DLL) using VDMEnumProcessWOW API.

-MAHESH
0
 

Author Comment

by:Delta526
ID: 19575900
r-k,
my ver is pretty much the same, there just is nothing in the lower pane for NTVDM.

-MAHESH
I guess I was looking for something easy, but I think this api is my only hope of seeing the command that started vdm. Give me a bit to see if I can buid something with this api. I hope I'm not going about this the wrong way by trying to talk to ntvdm whan all I want to see is what command started ntvdm. Perhaps if this doesnt work my question should be how to monitor the 32bit app launcher.
0
 
LVL 32

Expert Comment

by:r-k
ID: 19576019
Odd. Are you logged in as an Administrator?

Also, note that in the View menu, you can select "Lower Pane View" and choose between Dll's or Handles.
0
 
LVL 22

Accepted Solution

by:
mahesh1402 earned 2000 total points
ID: 19576137
>>I guess I was looking for something easy,

My above comments here as per micorosft docs, if you refer above links it seems only way to get details about that is using VDMDBG.dll.

-MAHESH
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Ownerdraw of the grid button.  A singleton class implentation and usage. Continuing from the fifth article about sudoku.   Open the project in visual studio. Go to the class view – CGridButton should be visible as a class.  R…
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question