-3

I need to get process name from process id in windows to find process names associated with a logged event. It is able to get Execution process id only from the logged event. Process handle is the required input to use GetProcessImageFileName() method. It's not able to get process handle from logged event.

In the duplicate question, it talks about currently running process. But I need not currently running process since it talks about logged event. & I have a doubt of whether processID vs processName combination is unique or not in Windows. So need to consider that also..

I expect that there must be some structure to map process id to process name. Are there any structure so? or any other methods to get process image name from process id?

Community
  • 1
  • 1
Meera
  • 15
  • 1
  • 4
  • What do you mean by the process name? – David Heffernan Aug 07 '15 at 19:12
  • 1
    Have you tried `OpenProcess`? You don't need to ask for full access rights when you open it. – Alan Stokes Aug 07 '15 at 19:12
  • Do you mean `GetProcessImageFileName()`? – Alan Stokes Aug 07 '15 at 19:13
  • @DavidHeffernan ProcessImageFileName – Meera Aug 07 '15 at 19:48
  • @AlanStokes as in https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320%28v=vs.85%29.aspx it gives "Opens an existing local process object." I can't understand what do they mean by "existing local processes". It means currently running process? & If not does it return new handle other than previous? – Meera Aug 07 '15 at 20:22
  • Yes it means a running process, as explained in Remy's answer. The id is meaningless after the process exits (and all handles to it are closed). And it returns a new handle (which you later need to close). – Alan Stokes Aug 07 '15 at 20:26
  • The number of distinct process IDs (`DWORD`) is limited. The number of distinct executable images in this galaxy is not. A 1:1 mapping from process ID to executable image is therefore not possible. Apply logical reasoning, and quit being helpless. – IInspectable Aug 08 '15 at 13:23

1 Answers1

3

I need to get process name from process id in windows to find process names associated with a logged event.

If you are getting the Process ID from a log, it will only be valid if the original process is still running. Otherwise, the ID is no longer valid for that process name. If the process has already exited before you read the log, all bets are off.

I need not currently running process since it talks about logged event.

Then you are out of luck, if the original process name was not logged.

I have a doubt of whether processID vs processName combination is unique or not in Windows.

A Process ID is unique only while being used for a running process. Once a process ends, its Process ID is no longer valid, and can be re-used for a subsequent new process.

I expect that there must be some structure to map process id to process name.

Yes, but only for a running process. You can pass the Process ID to OpenProcess(). If successful, it will return a HANDLE to the running process. You can then pass that HANDLE to GetModuleFileName(), GetProcessImageFileName(), or QueryFullProcessImageName(), depending on OS version and permissions you are able to gain from OpenProcess().

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770