none
Processes Info API ? RRS feed

  • Question

  • From kernel Mode Which API i can use to Retrive information about a Process from a Process ID ? 
    Thursday, January 14, 2016 5:31 AM

Answers

  • No they do give your process ID, they give you that a process has been created/terminated (PsSetCreateProcessNotifyRoutineEx) and what executable image files are loaded for it (PsSetLoadImageNotifyRoutine) the first executable file loaded after process creation is the processes executable.

    There are no documented approaches other than the above for doing this, there are plenty of ways that people talk about many of which crash the system and do other nasty things.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Thomas Hopes Thursday, January 14, 2016 6:31 PM
    Thursday, January 14, 2016 6:29 PM

All replies

  • what bigger problem are you trying to solve?

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, January 14, 2016 6:09 AM
  • I am Building a Security Tool. So. 
    Thursday, January 14, 2016 5:44 PM
  • That does not help, I have collected data for security tools and no two of them wanted the same thing.  Do you want process executable, or privileges, or processor utilization, or what?


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, January 14, 2016 5:52 PM
  • Process Executable from their PID. 
    Thursday, January 14, 2016 6:03 PM
  • The safest way to do this is track the creation of the processes and the loading of the executable files with PsSetCreateProcessNotifyRoutineEx and PsSetLoadImageNotifyRoutine.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, January 14, 2016 6:17 PM
  • Yes. i know about these API but It gives Your Process ID but i want to extract information from the process ID. 

    That's why i need an API which will do that job ? 

    Thursday, January 14, 2016 6:24 PM
  • No they do give your process ID, they give you that a process has been created/terminated (PsSetCreateProcessNotifyRoutineEx) and what executable image files are loaded for it (PsSetLoadImageNotifyRoutine) the first executable file loaded after process creation is the processes executable.

    There are no documented approaches other than the above for doing this, there are plenty of ways that people talk about many of which crash the system and do other nasty things.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Thomas Hopes Thursday, January 14, 2016 6:31 PM
    Thursday, January 14, 2016 6:29 PM
  • I found Some People using Undocumented API. And i think it can lead to crush the OS easily. 

    Thursday, January 14, 2016 8:00 PM