1

As the title says I want to find a system's process path from PID. I have seen several threads like this: get the full path from a PID using delphi and googled a lot.

I have tried many functions but all are working only for 32-bit processes.

Is there any way to find the path of a 64-bit process using the PID??

Community
  • 1
  • 1
maria
  • 25
  • 2
  • 7

3 Answers3

10
type
  TQueryFullProcessImageNameW = function(AProcess: THANDLE; AFlags: DWORD;
    AFileName: PWideChar; var ASize: DWORD): BOOL; stdcall;
  TGetModuleFileNameExW = function(AProcess: THANDLE; AModule: HMODULE;
    AFilename: PWideChar; ASize: DWORD): DWORD; stdcall;

function IsWindows200OrLater: Boolean;
begin
  Result := Win32MajorVersion >= 5;
end;

function IsWindowsVistaOrLater: Boolean;
begin
  Result := Win32MajorVersion >= 6;
end;

var
  PsapiLib: HMODULE;
  GetModuleFileNameExW: TGetModuleFileNameExW;

procedure DonePsapiLib;
begin
  if PsapiLib = 0 then Exit;
  FreeLibrary(PsapiLib);
  PsapiLib := 0;
  @GetModuleFileNameExW := nil;
end;

procedure InitPsapiLib;
begin
  if PsapiLib <> 0 then Exit;
  PsapiLib := LoadLibrary('psapi.dll');
  if PsapiLib = 0 then RaiseLastOSError;
  @GetModuleFileNameExW := GetProcAddress(PsapiLib, 'GetModuleFileNameExW');
  if not Assigned(GetModuleFileNameExW) then
    try
      RaiseLastOSError;
    except
      DonePsapiLib;
      raise;
    end;
end;

function GetFileNameByProcessID(AProcessID: DWORD): UnicodeString;
const
  PROCESS_QUERY_LIMITED_INFORMATION = $00001000; //Vista and above
var
  HProcess: THandle;
  Lib: HMODULE;
  QueryFullProcessImageNameW: TQueryFullProcessImageNameW;
  S: DWORD;
begin
  if IsWindowsVistaOrLater then
    begin
      Lib := GetModuleHandle('kernel32.dll');
      if Lib = 0 then RaiseLastOSError;
      @QueryFullProcessImageNameW := GetProcAddress(Lib, 'QueryFullProcessImageNameW');
      if not Assigned(QueryFullProcessImageNameW) then RaiseLastOSError;
      HProcess := OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, False, AProcessID);
      if HProcess = 0 then RaiseLastOSError;
      try
        S := MAX_PATH;
        SetLength(Result, S + 1);
        while not QueryFullProcessImageNameW(HProcess, 0, PWideChar(Result), S) and (GetLastError = ERROR_INSUFFICIENT_BUFFER) do
          begin
            S := S * 2;
            SetLength(Result, S + 1);
          end;
        SetLength(Result, S);
        Inc(S);
        if not QueryFullProcessImageNameW(HProcess, 0, PWideChar(Result), S) then
          RaiseLastOSError;
      finally
        CloseHandle(HProcess);
      end;
    end
  else
    if IsWindows200OrLater then
      begin
        InitPsapiLib;
        HProcess := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, False, AProcessID);
        if HProcess = 0 then RaiseLastOSError;
        try
          S := MAX_PATH;
          SetLength(Result, S + 1);
          if GetModuleFileNameExW(HProcess, 0, PWideChar(Result), S) = 0 then
            RaiseLastOSError;
          Result := PWideChar(Result);
        finally
          CloseHandle(HProcess);
        end;
      end;
end;


initialization
  PsapiLib := 0;

finalization
  DonePsapiLib;

Example of usage:

procedure EnumProcesses(AStrings: TStrings);
var Snapshot: THandle;
    Entry: TProcessEntry32;
    Found: Boolean;
    Count: Integer;
begin
    Snapshot := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (Snapshot = INVALID_HANDLE_VALUE) or (Snapshot = 0) then Exit;
    try
      ZeroMemory(@Entry, SizeOf(Entry));
      Entry.dwSize := SizeOf(Entry);
      if Process32First(Snapshot, Entry) then
        repeat
          try
            AStrings.Add(GetFileNameByProcessID(Entry.th32ProcessID));
          except
            AStrings.Add('System process #' + IntToStr(Entry.th32ProcessID));
          end;
          ZeroMemory(@Entry, SizeOf(Entry));
          Entry.dwSize := SizeOf(Entry);
        until not Process32Next(Snapshot, Entry);
    finally
      CloseHandle(Snapshot)
    end;
end;

procedure TForm11.FormCreate(Sender: TObject);
begin
  EnumProcesses(ListBox1.Items);
end;

Result (32 bit sample app on Win64 where Explorer is 64 bit app):

enter image description here

Denis Anisimov
  • 3,297
  • 1
  • 10
  • 18
  • Please explain what this code does. Please also confirm that it can obtain info about 64 bit processes when executed under WOW64. – David Heffernan Mar 09 '14 at 18:39
  • +1, thanks for the edit, and bravo. I did not know about `QueryFullProcessImageName`. I'd upvote twice if I could! – David Heffernan Mar 09 '14 at 19:54
  • Yeah! Awesome! But i had to make a change, because i use Delphi 2007 "UnicodeString" isn't defined. So, I replaced it with "WideString" and worked perfectly! Thanks! – maria Mar 10 '14 at 15:07
  • Thank you. Using with Delphi Alexandria and works great :) – Rafael Rossi Jun 28 '22 at 13:11
  • I would like to get the full path of a running firebird database server. It seems to me, that the code requires administrator rights, because in GetFileNameByProcessID() the OpenProcess() call fails with Error code 5 access denied. Is it possible to get the full path of such a process without administrator rights? I use WIndows 10/64 bit and a 32 bit fb server is installed. – malom Nov 29 '22 at 09:36
1

There are no Win32 functions that let you do that from inside the 32 bit emulator (WOW64). You should execute your code in a 64 bit process. Nope, that's not true. Denis proves me wrong. The function you need is QueryFullProcessImageName.

Alternatively you can use WMI. Specifically Win32_Process. Some sample code here: http://theroadtodelphi.wordpress.com/2011/11/06

Borrowing from @RRUZ's example code, here's a short program that prints the PID and executable name for the running processes that can be enumerated using WMI.

{$APPTYPE CONSOLE}

uses
  Variants, ComObj, ActiveX;

const
  wbemFlagForwardOnly = $00000020;
var
  FSWbemLocator : OLEVariant;
  FWMIService   : OLEVariant;
  FWbemObjectSet: OLEVariant;
  FWbemObject   : OLEVariant;
  oEnum         : IEnumVariant;
  iValue        : LongWord;
begin
  CoInitialize(nil);
  FSWbemLocator := CreateOleObject('WbemScripting.SWbemLocator');
  FWMIService := FSWbemLocator.ConnectServer('localhost', 'root\CIMV2', '', '');
  FWbemObjectSet:= FWMIService.ExecQuery('SELECT ExecutablePath, ProcessId FROM Win32_Process','WQL',wbemFlagForwardOnly);
  oEnum := IUnknown(FWbemObjectSet._NewEnum) as IEnumVariant;
  while oEnum.Next(1, FWbemObject, iValue) = 0 do
  begin
    if not VarIsNull(FWbemObject.ExecutablePath) then
      Writeln(string(FWbemObject.ProcessId) + ': ' + string(FWbemObject.ExecutablePath));
    FWbemObject:=Unassigned; //avoid memory leak in oEnum.Next
  end;
end.
David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
  • Using WMI? How exactly? – maria Mar 09 '14 at 17:04
  • Using Win32_Process. But it's easier to use 64 bit code. – David Heffernan Mar 09 '14 at 17:14
  • Unfortunately, I have to use 32 bit code. Sorry, I don't know what to do when you say using Win32_Process, i'm a noobie can you explain me the procedure? I want to implement a function in Delphi. – maria Mar 09 '14 at 17:18
  • Use RRUZ's WMI creator. – David Heffernan Mar 09 '14 at 17:24
  • Ok, i downloaded it and i have to say that it looks intresting, but because i use it for the first time i can't seem to find what i seek. – maria Mar 09 '14 at 17:45
  • Refresh this page, see my updated answer, follow the link, and you have the code you need. Although, I still think you should compile for 64 bit but you are probably using some ancient Delphi, right? – David Heffernan Mar 09 '14 at 17:48
  • @RRUZ Thank you very much for the edit. By the way, aren't these variants managed and ref counted? Or am I way off base. – David Heffernan Mar 09 '14 at 18:45
  • Yes all the variants are ref counted, except for the `FWbemObject` this variable is not released when multiples calls to the `IEnumVariant.Next` method are made, so a memory leak is produced. because that `FWbemObject:=Unassigned;` is necessary. – RRUZ Mar 09 '14 at 18:53
  • @RRUZ Do you know why FWbemObject is treated that way? – David Heffernan Mar 09 '14 at 18:55
  • 2
    This a is a old bug in the `IEnumVariant.Next` method. On this case if the collection returned by a WQL sentence only returns 1 record there is not problem because the `FWbemObject` variable is relased by the code inserted by the compiler (@VarClr), but when more than a record is returned each time which `IEnumVariant.Next` is called the `FWbemObject` variable is leaked. So for prevent that you must release the variable your self before to call the `IEnumVariant.Next` again. – RRUZ Mar 09 '14 at 19:03
0

Seems that it doesn't matter the language, so in C# you could use WMI to get the processes (including 64 bit).

using System.Management;

var wmiQueryString = "SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process";
using (var searcher = new ManagementObjectSearcher(wmiQueryString))
using (var results = searcher.Get())
{
    var query = results.Cast<ManagementObject>();
    foreach (var obj in query)
    {
        var filePath = obj.GetPropertyValue("ExecutablePath").Dump();   
    } 
}

You will have to reference System.Management.dll

thepirat000
  • 12,362
  • 4
  • 46
  • 72
  • Is it a Delphi question, or not? Seems like you need to make your mind up. – David Heffernan Mar 09 '14 at 19:00
  • 1
    @David, your comment is rude. First you [`remove the Delphi tag`](http://stackoverflow.com/revisions/22285024/3) [`saying the language is not relevant`](http://stackoverflow.com/questions/22285024/how-to-get-a-systems-process-path-from-pid-in-a-64-bit-system#comment33856777_22285024) and now this ? If the language would not be relevant, why would this not be an answer ? – TLama Mar 09 '14 at 19:31
  • @TLama thepirat000 says both. He says suggests restoring tag and says the language matters. Then writes this answer. Read the comments to the Q. I don't really mind this answer. It shows the necessary query and is readily translated. Of course it neglects to say why WMI is being used rather than Win32. – David Heffernan Mar 09 '14 at 19:35