Delta526
asked on
NTVDM and Process Explorer
Can anyone help me understand how to read NTVDM.exe in Process Explorer? I'm trying to see the command that was sent to NTVDM.exe and any handles or Dlls but I cannot see anything. Why is NTVDM protected?
Thanks for any info!
Thanks for any info!
ASKER
This sounds good let me read for a moment.
I am not quite sure what you mean. When I run a 16-bit program and then run Process Explorer, and click once on ntvdm.exe it gives a fair amount of information in the lower window, including the name of the 16-bit executable, the dll's in use, plus a lot more.
Of course the 16-bit program has to be running at the time.
Of course the 16-bit program has to be running at the time.
ASKER
r-k,
You say you can see the name of the 16-bit executable? I must be lookingin the wrong place or I am not understanding process explorer. I'm seeing ntvdm but not what ntvdm is doing. The application I am trying to watch is a third party application launcher that launches 16 bit applications. What I want to do is see the command string that this application launcher used to start ntvdm. The reason I want to see these strings is because I want to launch these 16 bit applications from the command line. I might add that some of the applications in the launcher are 32bit apps and process explorer showed me the start-up string and I am using it to start the apps. It is the 16bit applications that the launcher starts into ntvdm that don't show in process explorer. when a 16bit app is launched, the process explorer just shows ntvdm starting with no information about how it was started. Hmmm, any ideas??
You say you can see the name of the 16-bit executable? I must be lookingin the wrong place or I am not understanding process explorer. I'm seeing ntvdm but not what ntvdm is doing. The application I am trying to watch is a third party application launcher that launches 16 bit applications. What I want to do is see the command string that this application launcher used to start ntvdm. The reason I want to see these strings is because I want to launch these 16 bit applications from the command line. I might add that some of the applications in the launcher are 32bit apps and process explorer showed me the start-up string and I am using it to start the apps. It is the 16bit applications that the launcher starts into ntvdm that don't show in process explorer. when a 16bit app is launched, the process explorer just shows ntvdm starting with no information about how it was started. Hmmm, any ideas??
Did you try (in Process Explorer from menu bar):
View -> Show Lower pane
then click once on NTVDM in the process list in the upper pane.
My version of Process Explorer is a bit old (v9.25) so there might be some differences. The executable names shows as the only .exe File in use by NTVDM in the lower pane.
This may not be enough to show the entire command line, however.
View -> Show Lower pane
then click once on NTVDM in the process list in the upper pane.
My version of Process Explorer is a bit old (v9.25) so there might be some differences. The executable names shows as the only .exe File in use by NTVDM in the lower pane.
This may not be enough to show the entire command line, however.
That way you will be able to see handles and threadids..
As I said above the only way to enumerate 16 bit processes under NTVDM is through the Virtual DOS Machine Debug API (VDMDBG.DLL) using VDMEnumProcessWOW API.
-MAHESH
As I said above the only way to enumerate 16 bit processes under NTVDM is through the Virtual DOS Machine Debug API (VDMDBG.DLL) using VDMEnumProcessWOW API.
-MAHESH
ASKER
r-k,
my ver is pretty much the same, there just is nothing in the lower pane for NTVDM.
-MAHESH
I guess I was looking for something easy, but I think this api is my only hope of seeing the command that started vdm. Give me a bit to see if I can buid something with this api. I hope I'm not going about this the wrong way by trying to talk to ntvdm whan all I want to see is what command started ntvdm. Perhaps if this doesnt work my question should be how to monitor the 32bit app launcher.
my ver is pretty much the same, there just is nothing in the lower pane for NTVDM.
-MAHESH
I guess I was looking for something easy, but I think this api is my only hope of seeing the command that started vdm. Give me a bit to see if I can buid something with this api. I hope I'm not going about this the wrong way by trying to talk to ntvdm whan all I want to see is what command started ntvdm. Perhaps if this doesnt work my question should be how to monitor the 32bit app launcher.
Odd. Are you logged in as an Administrator?
Also, note that in the View menu, you can select "Lower Pane View" and choose between Dll's or Handles.
Also, note that in the View menu, you can select "Lower Pane View" and choose between Dll's or Handles.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Look at this MSJ article with src :
http://www.microsoft.com/msj/0898/hood0898.aspx
Also:
http://www.winterdom.com/dev/ptk/16bitproc.html
About how to use VDMEnumProcessWOW look :
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q182559&ID=KB;EN-US;Q182559
Hope this helps
-MAHESH