Link to home
Start Free TrialLog in
Avatar of Delta526
Delta526

asked on

NTVDM and Process Explorer

Can anyone help me understand how to read NTVDM.exe in Process Explorer? I'm trying to see the command that was sent to NTVDM.exe and any handles or Dlls but I cannot see anything. Why is NTVDM protected?

Thanks for any info!
Avatar of mahesh1402
mahesh1402
Flag of India image

I think you need to use VDMEnumProcessWOW API from VDMDBG.dll, which enumerates all of the VDMs in the system that is, each instance of NTVDM.EXE. For each VDM, the API invokes a callback function that you define. The primary parameter to the callback function is the process ID for the particular instance of NTVDM.EXE.

Look at this MSJ article with src :
http://www.microsoft.com/msj/0898/hood0898.aspx

Also:
http://www.winterdom.com/dev/ptk/16bitproc.html

About how to use VDMEnumProcessWOW look :
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q182559&ID=KB;EN-US;Q182559

Hope this helps
-MAHESH
Avatar of Delta526
Delta526

ASKER

This sounds good let me read for a moment.
I am not quite sure what you mean. When I run a 16-bit program and then run Process Explorer, and click once on ntvdm.exe it gives a fair amount of information in the lower window, including the name of the 16-bit executable, the dll's in use, plus a lot more.

Of course the 16-bit program has to be running at the time.
r-k,

You say you can see the name of the 16-bit executable? I must be lookingin the wrong place or I am not understanding process explorer. I'm seeing ntvdm but not what ntvdm is doing. The application I am trying to watch is a third party application launcher that launches 16 bit applications. What I want to do is see the command string that this application launcher used to start ntvdm. The reason I want to see these strings is because I want to launch these 16 bit applications from the command line. I might add that some of the applications in the launcher are 32bit apps and process explorer showed me the start-up string and I am using it to start the apps. It is the 16bit applications that the launcher starts into ntvdm that don't show in process explorer. when a 16bit app is launched, the process explorer just shows ntvdm starting with no information about how it was started. Hmmm, any ideas??
Did you try (in Process Explorer from menu bar):

 View -> Show Lower pane

then click once on NTVDM in the process list in the upper pane.

My version of Process Explorer is a bit old (v9.25) so there might be some differences. The executable names shows as the only .exe File in use by NTVDM in the lower pane.

This may not be enough to show the entire command line, however.
That way you will be able to see handles and threadids..

As I said above the only way to enumerate 16 bit processes under NTVDM is through the Virtual DOS Machine Debug API (VDMDBG.DLL) using VDMEnumProcessWOW API.

-MAHESH
r-k,
my ver is pretty much the same, there just is nothing in the lower pane for NTVDM.

-MAHESH
I guess I was looking for something easy, but I think this api is my only hope of seeing the command that started vdm. Give me a bit to see if I can buid something with this api. I hope I'm not going about this the wrong way by trying to talk to ntvdm whan all I want to see is what command started ntvdm. Perhaps if this doesnt work my question should be how to monitor the 32bit app launcher.
Odd. Are you logged in as an Administrator?

Also, note that in the View menu, you can select "Lower Pane View" and choose between Dll's or Handles.
ASKER CERTIFIED SOLUTION
Avatar of mahesh1402
mahesh1402
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial