5

I'm using this C# code to get the Command Line parameters of a running process:

public static void GetProcessesCommandLine(string processName)
{
    string query = $@"SELECT CommandLine,ProcessId FROM Win32_Process WHERE Name = '{processName}'";

    using (var searcher = new ManagementObjectSearcher(query))
    using (var collection = searcher.Get())
    {
        foreach (ManagementObject item in collection)
        {
            Console.WriteLine($"--- TESTING PROCESS {item["ProcessId"]} ---");

            var commandLine = item["CommandLine"];
            if(commandLine == null)
            {
                Console.WriteLine("WARNING: command line is NULL");
            }
            else
            {
                Console.WriteLine($"CommandLine is: {commandLine}");
            }
        }
    }
}

The problem is that the command line property turns out to be NULL in some cases, and I'm struggling to understand when and why this happens.

Initially I thought that it had something to do with the user that was running the code, and that the command line was NULL for processes that did not belong to that user. However, this does not seem to be the case upon further testing. For example, here I have the following situation:

enter image description here

As you can see, I have 4 instances of explorer.exe all started by user edsep, and.if I run the code above as user edsep I get all the command lines correctly. However, if I run the code as a different user, this is the output I get:

enter image description here

As you can see, the command line is not NULL on just one of the four processes. What is going on here? Why that process in particular works and the others don't? What are the rules here?

EDIT: another test, because there were some doubts about testing with explorer.exe. Here I have several instances of Chrome that are running under user edsep:

enter image description here

If I run the code above as a different user, here's what I get:

enter image description here

As you can see, I get the command line for only 3 (apparently random?) processes out of 15... why?

Master_T
  • 7,232
  • 11
  • 72
  • 144
  • Probably a permission issue. What happens if the code runs as administrator? – Klaus Gütter May 08 '23 at 10:33
  • The command line for the one that works isn't really helpful either, because that process has apparently not been started with any arguments. – PMF May 08 '23 at 10:38
  • @KlausGütter: I'll test, but the thing is: if I open Task Manager I can see the command lines of other user's processes, even though it is not running as administrator, so what is going on there? Is Task Manager "special" and can obtain that information even when not invoked with elevated privileges? – Master_T May 08 '23 at 10:43
  • @PMF: the helpfulness isn't really important here, I'm just trying to understand the rules so I know what to expect when running this code. – Master_T May 08 '23 at 10:44
  • @Master_T Sorry for being unclear: I meant that maybe you get a result there _because_ the command line is empty, and this is somewhere handled differently. Also, this is the explorer desktop process, so there might be some special handling of that one - I would try to test the behavior with something that is not a partial system process. – PMF May 08 '23 at 11:03
  • 1
    @PMF: I added another example to my question, this time using chrome.exe and all processes have a command line, as you can see I get similar results. – Master_T May 09 '23 at 08:30
  • 1
    @Master_T I've put the actual question in the title as I first wasn't sure whether you are looking for how to get a proper `CommandLine` for processes started by other users (which you apparently already know) or the _reasoning_ why it is null for only _some_ of those processes. – Ray May 09 '23 at 09:04
  • I suspect that if you add Integrity to the set of columns showing in Process Explorer you'll see a pattern in that the ones you're not seeing any details for are Untrusted or Low. – Damien_The_Unbeliever May 09 '23 at 11:47

0 Answers0