is there a way, when enumerating task processes, that I can obtain their full command line used to start them?
Edit: I think i found the api needed NtQueryInformationProcess()
capture command line of all running processes?
-
Zebuddi123
- Enthusiast
- Posts: 794
- Joined: Wed Feb 01, 2012 3:30 pm
- Location: Nottinghamshire UK
- Contact:
Re: capture command line of all running processes?
Hi Jassing is this what your looking for 
http://msdn.microsoft.com/en-gb/library ... s.85).aspx
typedef struct _RTL_USER_PROCESS_PARAMETERS {
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine <-------------------------------------------------here
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
Zebuddi.
http://msdn.microsoft.com/en-gb/library ... s.85).aspxtypedef struct _RTL_USER_PROCESS_PARAMETERS {
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine <-------------------------------------------------here
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
Zebuddi.
malleo, caput, bang. Ego, comprehendunt in tempore
Re: capture command line of all running processes?
I use Comate and WMI :
Edit : Better working example. You just need COMatePLUS installed.
Edit 2 : fixed my Endif issue. Code was ripped from an app I wrote.
Code: Select all
XIncludeFile "COMatePLUS.pbi"
Procedure GetProcess(strComputer.s)
strComputer.s
Define.COMateObject objWMIService, objProcess
colProcessList.COMateEnumObject
objWMIService = COMate_GetObject("winmgmts:{impersonationLevel=impersonate}!\\" + strComputer + "\root\cimv2")
If objWMIService
colProcessList = objWMIService\CreateEnumeration("ExecQuery('Select * from Win32_Process')")
If colProcessList
objProcess = colProcessList\GetNextObject()
While objProcess
name$=objProcess\GetStringProperty("Name")
handle=objProcess\GetIntegerProperty("Handle")
path$=objProcess\GetStringProperty("ExecutablePath")
time.l=objProcess\GetIntegerProperty("KernelModeTime")
cmdline$=objProcess\GetStringProperty("CommandLine")
username$=objProcess\GetStringProperty("Username, Domain")
If objProcess\GetIntegerProperty("GetOwner(" + Str(@userName) + " byref)") = #S_OK
username$=PeekS(userName, -1, #PB_Unicode)
SysFreeString_(userName)
Else
Debug "Cannot locate user's name."
EndIf
objProcess = colProcessList\GetNextObject()
AddGadgetItem(1,-1,Str(handle)+Chr(10)+name$+Chr(10)+username$+Chr(10)+path$+Chr(10)+cmdline$)
Wend
colProcessList\Release()
EndIf
objWMIService\Release()
Else
MessageRequester("Processes", "Error detecting processes!")
EndIf
EndProcedure
If OpenWindow(0,10,10,800,600,"Processes")
ListIconGadget(1,0,0,798,598,"Processes",50)
AddGadgetColumn(1,100,"Name",100)
AddGadgetColumn(1,100,"Username",100)
AddGadgetColumn(1,100,"Path",250)
AddGadgetColumn(1,100,"Cmd Line",650)
GetProcess(".")
Repeat
Event = WindowEvent()
Delay(5)
Until Event = #PB_Event_CloseWindow
EndIf
Edit 2 : fixed my Endif issue. Code was ripped from an app I wrote.
Last edited by em_uk on Mon Jun 03, 2013 2:45 pm, edited 1 time in total.
----
R Tape loading error, 0:1
R Tape loading error, 0:1
-
MachineCode
- Addict
- Posts: 1482
- Joined: Tue Feb 22, 2011 1:16 pm
Re: capture command line of all running processes?
@em_uk: Your code doesn't compile. Missing an EndIf. Can't work out where it's meant to go because you've got a While/Else/EndIf loop, and if I change While to If, then I get a Break level too high error. Please check your code.
Microsoft Visual Basic only lasted 7 short years: 1991 to 1998.
PureBasic: Born in 1998 and still going strong to this very day!
PureBasic: Born in 1998 and still going strong to this very day!
Re: capture command line of all running processes?
Code: Select all
Prototype.i GetModuleFileNameExW(hProcess.l,hModule.l,*lpFilename,nSize.i)
Prototype.i GetModuleFileNameExA(hProcess.l,hModule.l,*lpFilename,nSize.i)
CompilerIf #PB_Compiler_Unicode
Global GetModuleFileNameEx.GetModuleFileNameExW
CompilerElse
Global GetModuleFileNameEx.GetModuleFileNameExA
CompilerEndIf
Lib = OpenLibrary(#PB_Any,"psapi.dll")
If Lib
CompilerIf #PB_Compiler_Unicode
Global GetModuleFileNameEx.GetModuleFileNameExW = GetFunction(Lib,"GetModuleFileNameExW")
CompilerElse
Global GetModuleFileNameEx.GetModuleFileNameExA = GetFunction(Lib,"GetModuleFileNameExA")
CompilerEndIf
Else
MessageRequester("Warning", "Can not load Psapi.dll" ,#MB_ICONWARNING)
End
EndIf
Procedure CheckRunningExe()
Proc32.PROCESSENTRY32
Proc32\dwSize = SizeOf(PROCESSENTRY32)
snap = CreateToolhelp32Snapshot_(#TH32CS_SNAPPROCESS, 0)
If Snap
If Process32First_(snap, @Proc32)
While Process32Next_(snap, @Proc32)
ImageName$ = PeekS(@Proc32\szExeFile)
FilePath$ = Space(1024)
hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, 0, Proc32\th32ProcessID)
If hProcess
GetModuleFileNameEx(hProcess, 0, @FilePath$, Len(FilePath$))
CloseHandle_(hProcess)
EndIf
Debug ImageName$
Debug FilePath$
Debug " "
Wend
EndIf
CloseHandle_(Snap)
EndIf
EndProcedure
CheckRunningExe()
Egypt my love
Re: capture command line of all running processes?
@Rashad: I think this is not what jassing mean... he want the startparameters of the tasks.
I modified the code from em_uk to work :
At the column "Cmd Line" you see the parameters , like PBCompiler.exe /STANDBY /LANGUAGE Deutsch...
I modified the code from em_uk to work :
Code: Select all
XIncludeFile "COMatePLUS.pbi"
EnableExplicit
Procedure GetProcess(strComputer.s)
Protected.COMateObject objWMIService, objProcess
Protected colProcessList.COMateEnumObject
Protected name$, handle, path$, time.l, cmdline$, username$, username
objWMIService = COMate_GetObject("winmgmts:{impersonationLevel=impersonate}!\\" + strComputer + "\root\cimv2")
If objWMIService
colProcessList = objWMIService\CreateEnumeration("ExecQuery('Select * from Win32_Process')")
If colProcessList
objProcess = colProcessList\GetNextObject()
While objProcess
name$=objProcess\GetStringProperty("Name")
handle=objProcess\GetIntegerProperty("Handle")
path$=objProcess\GetStringProperty("ExecutablePath")
time.l=objProcess\GetIntegerProperty("KernelModeTime")
cmdline$=objProcess\GetStringProperty("CommandLine")
username$=objProcess\GetStringProperty("Username, Domain")
If objProcess\GetIntegerProperty("GetOwner(" + Str(@userName) + " byref)") = #S_OK
username$=PeekS(userName, -1, #PB_Unicode)
SysFreeString_(userName)
Else
Debug "Cannot locate user's name."
EndIf
objProcess = colProcessList\GetNextObject()
AddGadgetItem(1,-1,Str(handle)+Chr(10)+name$+Chr(10)+username$+Chr(10)+path$+Chr(10)+cmdline$)
If Not objProcess
Break 1
EndIf
Wend
colProcessList\Release()
EndIf
objWMIService\Release()
Else
MessageRequester("Processes", "Error detecting processes!")
EndIf
EndProcedure
Define Event
If OpenWindow(0,10,10,800,600,"Processes")
ListIconGadget(1,0,0,798,598,"Processes",50)
AddGadgetColumn(1,100,"Name",100)
AddGadgetColumn(1,100,"Username",100)
AddGadgetColumn(1,100,"Path",250)
AddGadgetColumn(1,100,"Cmd Line",650)
GetProcess(".")
Repeat
Event = WindowEvent()
Delay(5)
Until Event = #PB_Event_CloseWindow
EndIfRe: capture command line of all running processes?
Nice. thank you gents!
Re: capture command line of all running processes?
Fixed the missing Endif.
Also, my version is useful for targeting another machine.
Simply change the "." to what ever machine name/ip.
Obviously you need to be an admin of that device.
Also, my version is useful for targeting another machine.
Simply change the "." to what ever machine name/ip.
Obviously you need to be an admin of that device.
----
R Tape loading error, 0:1
R Tape loading error, 0:1