0

Once upon the time there live two exe files, A and B. They were going along together just fine. B was always responsible for starting and stopping A, so B had some time on his own, but A only knew life together with B. Until one day A asked:

A: Hey B, how is it like when you are alone?

B: It is nice for a while, I mean, nothing special. And look who's curious today.

A: I am thinking about it sometimes, but it is kinda frightening too. How do you know you are not alone in the system when you are the only one awake?

B: Hahaha, off course you are not alone. We never are. There are other process in our system. You just never read about them.

A: Then it is even more frightening. How do you know what they might do? I feel safe because I know you are the one starting and stopping me. What would happen if I realize that you are not running? Who started me then?

B: Don't be silly. Off course it is me. Who else...

A: But you can't know that for sure. What if some other process decides to start me while we are both not running. Do you know who started you, right now?

B: Uhm... well... I never thought about it. I just thought there is order in the system. I never...

A: I just want to feel safe. I need to know how to check if you are not running. What if some other process started me even while you are running?

B: What got into you? Why are you... Wait, have you... have you talked with "Creator" again?

A: I... I am not sure. Could have been a dream.

B: A dream? But how can a process dream if it is not sleeping, but not even running?

But A have not replied...

So, as it is obvious from this fairy-tale, question is: does a process knows which process had invoked it? I could pass a parameter when starting the process, make a wrapper to make it look nicer, but was just wondering is there something already built-in.

Marko Stanojevic
  • 418
  • 5
  • 15
  • 1
    If I have sufficient permissions, I can inject any code of my choice into any process, including code to launch another process. So, just because process B started A doesn't mean it did it in a way that you can trust. – Damien_The_Unbeliever Nov 09 '20 at 08:28

1 Answers1

0

A process can have a parent process id which you can query via WMI, for example, try:

wmic process get processid,parentprocessid

Process explorer also visualizes the processes in a tree like manner: https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

An SO about how to query the process ID, this particular answer is the WMI one. As stated in the answer, it could be quite slow. Using Pinvoke may gain some speed, but the code is not easy:

public static Process GetParent(this Process process)
{
  try
  {
    using (var query = new ManagementObjectSearcher(
      "SELECT * " +
      "FROM Win32_Process " +
      "WHERE ProcessId=" + process.Id))
    {
      return query
        .Get()
        .OfType<ManagementObject>()
        .Select(p => Process.GetProcessById((int)(uint)p["ParentProcessId"]))
        .FirstOrDefault();
    }
  }
  catch
  {
    return null;
  }
}

https://stackoverflow.com/a/46346244/4122889

You'll likely need this package but that depends on your framework version: https://www.nuget.org/packages/System.Management/

sommmen
  • 6,570
  • 2
  • 30
  • 51