I need to find one process. When this process is created, it starts another one with the same name. I looked into the task manager, where the process I need is started from the user, and the other from the System. I need exactly the process that started from the user. Is it possible to determine who started the process or is there an easier way?

  • one
    OS will guess collectively? - gbg
  • Windus of course! - HackMemory

1 answer 1

For windows, the solution is

#include <comdef.h> #define MAX_NAME 256 BOOL GetLogonFromToken (HANDLE hToken, _bstr_t& strUser, _bstr_t& strdomain) { DWORD dwSize = MAX_NAME; BOOL bSuccess = FALSE; DWORD dwLength = 0; strUser = ""; strdomain = ""; PTOKEN_USER ptu = NULL; //Verify the parameter passed in is not NULL. if (NULL == hToken) goto Cleanup; if (!GetTokenInformation( hToken, // handle to the access token TokenUser, // get information about the token's groups (LPVOID) ptu, // pointer to PTOKEN_USER buffer 0, // size of buffer &dwLength // receives required buffer size )) { if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) goto Cleanup; ptu = (PTOKEN_USER)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwLength); if (ptu == NULL) goto Cleanup; } if (!GetTokenInformation( hToken, // handle to the access token TokenUser, // get information about the token's groups (LPVOID) ptu, // pointer to PTOKEN_USER buffer dwLength, // size of buffer &dwLength // receives required buffer size )) { goto Cleanup; } SID_NAME_USE SidType; char lpName[MAX_NAME]; char lpDomain[MAX_NAME]; if( !LookupAccountSid( NULL , ptu->User.Sid, lpName, &dwSize, lpDomain, &dwSize, &SidType ) ) { DWORD dwResult = GetLastError(); if( dwResult == ERROR_NONE_MAPPED ) strcpy (lpName, "NONE_MAPPED" ); else { printf("LookupAccountSid Error %u\n", GetLastError()); } } else { printf( "Current user is %s\\%s\n", lpDomain, lpName ); strUser = lpName; strdomain = lpDomain; bSuccess = TRUE; } Cleanup: if (ptu != NULL) HeapFree(GetProcessHeap(), 0, (LPVOID)ptu); return bSuccess; } HRESULT GetUserFromProcess(const DWORD procId, _bstr_t& strUser, _bstr_t& strdomain) { HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,procId); if(hProcess == NULL) return E_FAIL; HANDLE hToken = NULL; if( !OpenProcessToken( hProcess, TOKEN_QUERY, &hToken ) ) { CloseHandle( hProcess ); return E_FAIL; } BOOL bres = GetLogonFromToken (hToken, strUser, strdomain); CloseHandle( hToken ); CloseHandle( hProcess ); return bres?S_OK:E_FAIL; }
  • Thanks It works! - HackMemory