How does Process Explorer enumerate all process names from an XP Guest account?

Question

I'm attempting to enumerate all running process EXE names, and have stumbled when attempting this on the XP Guest account. I am able to enumerate all Process IDs using EnumProcesses, but when I attempt OpenProcess with PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, the function fails.

I fired up Process Explorer under the XP Guest account, and it was able to enumerate all process names (though as expected, most other information from processes outside the Guest user-space was not present).

So, my question is, how can I duplicate the Process Explorer magic to get the process names of services and other processes running outside the Guest account user-space?

Hm... not knowing much about this, but are you sure that Process Explorer runs with guest rights (so is in the same position as your program) - perhaps it's "magic" is running with administrative rights even when it's started by a guest. — schnaader, Jan 15 '11 at 17:53
Yes, it's definitely running as a Guest account process with the same privileges as my IDE. — Joe Jordan, Jan 15 '11 at 17:57

score 3 · Accepted Answer · edited May 23 '17 at 11:55

3

I suppose that the Process Explorer use NtQuerySystemInformation with parameter SystemProcessInformation to get the list of processes. For the code example see my old answer. Additionally the function NtQueryInformationProcess will be used to get additional information.

By the way, if you start Process Explorer under Dependency Walker (menu "Profile" / "Start Profiling" or F7) then you will see all functions which Process Explorer really use from NTDLL.DLL. You can see that NtQuerySystemInformation and NtQueryInformationProcess will be really used.

edited May 23 '17 at 11:55

Community

1
1

answered Jan 15 '11 at 20:24

Oleg

220,925
34
403
798

Oleg, thanks, this gives me more information about a process and the Process Name stored in UNICODE_STRING is cleaner (at least in VB6) than the string returned in PROCESSENTRY32, which returned a string with null characters and additional nonsense info. – Joe Jordan Jan 17 '11 at 20:07

score 1 · Answer 2 · answered Jan 15 '11 at 21:04

1

NtQuerySystemInformation is only barely documented and "may be altered or unavailable in future versions of Windows" CreateToolhelp32Snapshot is fully documented and should give you the image name.

answered Jan 15 '11 at 21:04

Anders

97,548
12
110
164

Anders, thanks, this is a valid answer and I don't know why I didn't bother to check the other members of PROCESSENTRY32. – Joe Jordan Jan 17 '11 at 19:48

score 0 · Answer 3 · answered Jan 15 '11 at 18:02

0

When a process starts, it is assigned a basic set of access privileges. Certain API calls require additional privileges to complete successfully. Specifically, OpenProcess can require the SeDebugPrivilege privilege in certain cases. You can find an example of how to modify your process token to enable additional privileges here: Enabling and Disabling Privileges in C++.

answered Jan 15 '11 at 18:02

casablanca

69,683
7
133
150

That would mean then that, as expected, Process Explorer is using some other means to enumerate process names, because it does not run with SeDebugPrivilege enabled under the limited Guest account. – Joe Jordan Jan 15 '11 at 18:07
@Joe: By process name, do you mean the executable filename? As an alternative to `EnumProcesses`, the [tool help library](http://msdn.microsoft.com/en-us/library/ms686837%28v=vs.85%29.aspx) can get you similar information. – casablanca Jan 15 '11 at 18:12

score 0 · Answer 4 · answered Jan 15 '11 at 21:38

0

GetProcessImageFileName only needs PROCESS_QUERY_LIMITED_INFORMATION starting with Vista, but on XP it does need PROCESS_QUERY_INFORMATION.

You shouldn't need, and definitely shouldn't be able to get from a guest account, PROCESS_VM_READ.

answered Jan 15 '11 at 21:38

Ben Voigt

277,958
43
419
720

How does Process Explorer enumerate all process names from an XP Guest account?

4 Answers4