开发者

How does Process Explorer enumerate all process names from an XP Guest account?

I'm attempting to enumerate all running process EXE names, and have stumbled when attempting this on the XP Guest account. I am able to enumerate all Process IDs using EnumProcesses, but when I attempt OpenProcess with PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, the function fails.

I fired up Process Explorer under the XP Guest account, and it was able to enumerate all process names (though as expected, most other information from processes outside the Guest user-space was not present).

So, m开发者_JAVA百科y question is, how can I duplicate the Process Explorer magic to get the process names of services and other processes running outside the Guest account user-space?


I suppose that the Process Explorer use NtQuerySystemInformation with parameter SystemProcessInformation to get the list of processes. For the code example see my old answer. Additionally the function NtQueryInformationProcess will be used to get additional information.

By the way, if you start Process Explorer under Dependency Walker (menu "Profile" / "Start Profiling" or F7) then you will see all functions which Process Explorer really use from NTDLL.DLL. You can see that NtQuerySystemInformation and NtQueryInformationProcess will be really used.


NtQuerySystemInformation is only barely documented and "may be altered or unavailable in future versions of Windows" CreateToolhelp32Snapshot is fully documented and should give you the image name.


When a process starts, it is assigned a basic set of access privileges. Certain API calls require additional privileges to complete successfully. Specifically, OpenProcess can require the SeDebugPrivilege privilege in certain cases. You can find an example of how to modify your process token to enable additional privileges here: Enabling and Disabling Privileges in C++.


GetProcessImageFileName only needs PROCESS_QUERY_LIMITED_INFORMATION starting with Vista, but on XP it does need PROCESS_QUERY_INFORMATION.

You shouldn't need, and definitely shouldn't be able to get from a guest account, PROCESS_VM_READ.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜