How to check if a program is using .NET?

Question

Can we check if a running application or a program uses .Net framework to execute itself?

Crank up Process Monitor and if the executable is highlighted yellow it's a managed application. Hurr. — , Jan 17 '10 at 05:20

Igal Tabachnik · Accepted Answer · 2011-02-20T06:46:38.387

51

There's a trick I once learned from Scott Hanselman's list of interview questions. You can easily list all programs running .NET in command prompt by using:

tasklist /m "mscor*"

It will list all processes that have mscor* amongst their loaded modules.

We can apply the same method in code:

public static bool IsDotNetProcess(this Process process)
{
  var modules = process.Modules.Cast<ProcessModule>().Where(
      m => m.ModuleName.StartsWith("mscor", StringComparison.InvariantCultureIgnoreCase));

  return modules.Any();
}

edited Feb 20 '11 at 06:46

answered Jan 17 '10 at 06:16

Igal Tabachnik

31,174
15
92
157

3

Note this does leave out possible Mono processes. – Dykam Jan 17 '10 at 07:51
@Dykam Isn't mono's runtime also called mscorlib.dll ? – Igal Tabachnik Jan 17 '10 at 08:04
2

The runtime is just `mono`. Or `mono.exe` on windows. .Net uses PE to let the OS use mscorlib.dll to start the app, but mono doesn't do such a trick. And the real core lib is called corlib.dll I think, as it isn't MS's corlib. – Dykam Jan 17 '10 at 08:19
4

I don't think this will work anymore for .NET 4.0, the DLLs were renamed. You'll also get false positives for apps that host the CLR, Visual Studio for example. – Hans Passant Jan 17 '10 at 09:51
1

The .NET 4.0 runtime is called clr.dll. – Brian Rasmussen Jan 17 '10 at 14:35
I tried this, though the process was displayed in the list, IL Disassembler says its not a valid .net assembly. – Mohib Sheth May 07 '12 at 09:57
Nice trick! But what is with .NET Core applications? I made some tests by myself converting a .net windows application into a .net core application, and the difference seems that .net core uses "System.Runtime.dll" (`tasklist /m "System.Runtime.dll"`), while .net uses "MSCOREE.DLL" (`tasklist /m "mscor*"`). You can try it yourself: `tasklist /M | find "YourAppName"` finds both versions of your application while they are running. – Matt Feb 14 '20 at 12:18
Addition: To get both in one command line, I found you can use: `tasklist /FI "modules EQ MSCORE*" & tasklist /FI "modules EQ System.Runtime.dll"` - this will list the .NET applications first, then the .NET Core applications. – Matt Feb 14 '20 at 12:27

score 11 · Answer 2 · edited Dec 27 '16 at 08:00

11

Use the CLR COM interfaces ICorPublish and ICorPublishProcess. The easiest way to do this from C# is to borrow some code from SharpDevelop's debugger, and do the following:

ICorPublish publish = new ICorPublish();
ICorPublishProcess process;

process = publish.GetProcess(PidToCheck);

if (process == null || !process.IsManaged)
{
    // Not managed.
}
else
{
    // Managed.
}

edited Dec 27 '16 at 08:00

stakx - no longer contributing

83,039
20
168
268

answered Jan 17 '10 at 08:13

wj32

8,053
3
28
37

I was wondering, if you do this from C#, under which conditions will this check report "not managed"? – stakx - no longer contributing Dec 27 '16 at 08:01
It seems that it will only consider managed those processes that have the same CLR used - https://social.msdn.microsoft.com/Forums/en-US/fac08eee-001d-4566-b1e7-fda1ddbc37e7/icorpublishgetprocess-throws-systemargumentexception-value-does-not-fall-within-the-expected?forum=netfxtoolsdev. So one should be careful with it. – Eugene Podskal Jan 11 '17 at 11:55

score 8 · Answer 3 · answered Jan 17 '10 at 05:18

8

Use System.Reflection.Assembly.LoadFrom function to load the .exe file. This function will throw exception if you try to load binary file that is not .NET assembly.

answered Jan 17 '10 at 05:18

lubos hasko

24,752
10
56
61

5

what difference does it make? running application doesn't have .exe file? – lubos hasko Jan 17 '10 at 05:21
In that case, please show him how to find the EXE file corresponding to the running program; and show him how to deal with the possibility his process can't get read access to the .EXE file. – John Saunders Jan 17 '10 at 05:35
2

Yes, you are right, my answer is not complete and bulletproof and I'm sorry for sarcastic comment. – lubos hasko Jan 17 '10 at 06:27
This doesn't work if the hosting process is x64 and the exe is x86 only. – Drakarah Jun 23 '12 at 10:57

score 7 · Answer 4 · answered Feb 09 '12 at 15:58

7

I know this is about a million years too late, but in case it helps - my favourite method to figure out if an exe is using .net is to run MSIL disassembler against it which comes with .net SDK. If a .net exe you indeed have, you'll get a nice graphical breakdown of its contents; if a plain old win32 exe it be, you'll get a message telling you so.

answered Feb 09 '12 at 15:58

Dan

71
1
1

Good answer. Specifically, run ILDASM.EXE, which is automatically installed with Visual Studio. See: http://msdn.microsoft.com/en-us/library/f7dy01k1(v=vs.110).aspx To launch ILDASM from Win8/VS2013: Start -> Visual Studio Tools --> Developer Command Prompt for VS2013. From Win8/VS2012: Start -> Developer Command -> Developer Command Prompt for VS2012. From Win7: All Programs -> Microsoft Visual Studio -> Visual Studio Tools -> Visual Studio Command Prompt. – Neil Schaper Aug 19 '14 at 23:24

stephbu · Answer 5 · 2010-01-17T05:38:48.113

Programmatically you'd get the starting image name using Win32 API like NtQueryInformationProcess, or in .Net use System.Diagnostics.Process.GetProcesses() and read Process.StartInfo.FileName.

Then open and decode the PE headers of that image using details prescribed in the MSDN article below:

http://msdn.microsoft.com/en-us/magazine/cc301808.aspx

Caveats: will only detect .NET built assemblies e.g. won't detect Win32 EXEs dynamically hosting CLR using CorHost APIs.

score 3 · Answer 6 · answered Jul 25 '18 at 07:30

A list of running .NET processes is available in Performance Monitor. Just run perfmon and in the Monitoring Tools >> Performance Monitor click + Icon or press Ctrl+N. In the list of available counters, at the beginning of the list find .NET CLR Jit and select a sub item. You will see a list of .NET process in Instances of selected object list.

If you want a method in C# without running your app in Administrator mode, there is solution introduced by Process Hacker tool.

According to Process Hacker / .NET Tools / native.c :

Most .NET processes have a handle open to a section named \BaseNamedObjects\Cor_Private_IPCBlock(v4)<ProcessId>. This is the same object used by the ICorPublish::GetProcess function. Instead of calling that function, we simply check for the existence of that section object. This means: * Better performance. * No need for admin rights to get .NET status of processes owned by other users.

Getting a list of Process handles in C# is a bit of hard work. Instead you can download the DotNetTools.dll from Process Hacker plugins folder and create an extern method to use PhGetProcessIsDotNet function.

score 2 · Answer 7 · answered Jan 17 '10 at 14:31

2

I suggest downloading the Redgate's DotNetReflector and checking if it can open the application.

answered Jan 17 '10 at 14:31

How to check if a program is using .NET?

7 Answers7

Linked

Related