1

Just curious, say, if I enumerate all processes running in a user's session, is there any way to tell which are Windows system processes (such as explorer.exe, taskhost.exe, dwm.exe, etc.) and which are processes started by a user?

ahmd0
  • 16,633
  • 33
  • 137
  • 233
  • 1
    See http://stackoverflow.com/questions/185254/how-can-a-win32-process-get-the-pid-of-its-parent for several approaches to querying a process's parent, which I think will be the best approach for this. There's no "started by system" attribute that you can query. – HerrJoebob Nov 20 '12 at 18:40
  • Good point. So what parent process should I be looking for? – ahmd0 Nov 20 '12 at 18:55
  • Also on the side, I'm not sure which Microsoft's own admin tool allows to isolate "Microsoft-only" processes. Can't think of which one, it might be Services Manager. So they must know somehow... – ahmd0 Nov 20 '12 at 18:56
  • Could you refine your question? Explorer.exe is often running in background under user's name, even if it's not yet launched by user, and if the user then starts explorer on his own, you see the same process - you can't name it a "system process". Do you possibly want to know username (including `system`) under which each process was started? This can be done. – Stan Nov 20 '12 at 20:38
  • I see your logic, it's hard to see what started what, although I don't think you can start more than a single explorer.exe per user session. In my case I'm interested in processes started from an interactive user session N, so "system" would not work... – ahmd0 Nov 20 '12 at 20:42
  • You can use [WMI](http://msdn.microsoft.com/ru-ru/library/windows/desktop/aa394599(v=vs.85).aspx) to list all processes, including accounts they have been started from, then check again with [WMI](http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx) what is a type of each account. – Stan Nov 20 '12 at 20:55
  • @ahmd0 The "Services" tab of `msconfig.exe` – ChrisW Nov 20 '12 at 20:58
  • @ChrisW: So is it something specific for services then? – ahmd0 Nov 20 '12 at 22:00
  • I've been playing with what HerrJoebob suggested -- get parent process and go up the tree. I'd use this approach though: http://www.codeguru.com/cpp/w-p/win32/article.php/c1437/Retrieving-the-parent-of-a-process-WinNT.htm then when you hit explorer process for the user session (which ID can be easily found beforehand) then this is a user-started process. I don't think an interactive user can start a process other than thru Windows Explorer at its core, am I wrong on this one? – ahmd0 Nov 20 '12 at 22:01
  • @Stan: I'm not a big fan of WMI. That is a heck-of-a slow thing... – ahmd0 Nov 20 '12 at 22:06
  • I don't think WMI is too slow for getting a list of tens processes - at least you'll got a solid solution for your task. Your current approach seems also ok. Just bear in mind that autorun processes (not necessarily interactive) do also have explorer as parent. – Stan Nov 21 '12 at 08:10

0 Answers0