locked
Best way to get filename associated with an Application ID? RRS feed

  • Question

  • If you don't know the file name associated with an Application ID what is the best way to get it?

    I know there is an FwpmGetAppIdFromFileName() function,  but you would have to call that function for every file on the computer until you found what you were looking for?


    • Edited by Ritual Sunday, August 12, 2012 2:18 AM
    Saturday, August 11, 2012 1:40 PM

Answers

  • The APP_ID contains the filename,

         APP_ID = \device\harddiskvolume2\windows\system32\svchost.exe

    so the filename is svchost.exe

    You can easily parse it out if you so desire.

    If you give C:\Windows\System32\svchost.exe to FwpmGetAppIdFromFileName(), then  you would get something like \device\harddiskvolume2\windows\system32\svchost.exe in the FWP_BYTE_BLOB.data.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Sunday, August 12, 2012 1:54 AM
    Moderator

All replies

  • The APP_ID contains the filename,

         APP_ID = \device\harddiskvolume2\windows\system32\svchost.exe

    so the filename is svchost.exe

    You can easily parse it out if you so desire.

    If you give C:\Windows\System32\svchost.exe to FwpmGetAppIdFromFileName(), then  you would get something like \device\harddiskvolume2\windows\system32\svchost.exe in the FWP_BYTE_BLOB.data.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Sunday, August 12, 2012 1:54 AM
    Moderator
  • Thank You,






    • Edited by Ritual Thursday, August 30, 2012 2:09 AM cleaned up the thank you
    Sunday, August 12, 2012 2:18 AM