Obtain PID's

  • Thread starter Thread starter AA
  • Start date Start date
A

AA

I would like to know how to obtain a processe's owner from its pid

The sequence of

OpenProcess

OpenProcessToken

GetTokenInformation

LookupAccountSid


does not work on system processes.

This has been documented in MSDN as being casued by lack of

SE_DEBUG_NAME privelege. The KB article Q131065

describes how to enable this privelege in our process so that

OpenProcess does not fail on system processes

The said method works on all processes except system(pid 8) process

and CRSS process.

1)Why does this not work on these processes ?

2)Are there any other rights that have to be assigned to get this to work ?

3)Is there any other method that doesnt require these rights

to obtain the process owner name ?



Iam targeting NT 4.0 sp6 and above (2000 XP etc)
 
AA said:
I would like to know how to obtain a processe's owner from its pid

The sequence of
OpenProcess
OpenProcessToken
GetTokenInformation
LookupAccountSid
Click to expand...
does not work on system processes.
Click to expand...
The said method works on all processes except system(pid 8) process

and CRSS process.

1)Why does this not work on these processes ?

2)Are there any other rights that have to be assigned to get this to work ?

3)Is there any other method that doesnt require these rights

to obtain the process owner name ?
Click to expand...

There is a utility in the Microsoft Platform SDK called pview.exe (not
to be confused with the relatively lame utility of the same name that
comes with Visual Studio). It is an interactive program that allows
you, among other things, to browse the security descriptors and access
tokens associated with all the processes and threads on the system.
Get it and play with it; examine the security on the various system
objects until you understand the model.

On my XP system, for example, I have to modify the security descriptor
on some process tokens before I can examine the contents of the
tokens. And in some cases, I need to modify the process security
descriptor before I'm permitted to even look at the security
descriptor on the process access token. I can ultimately get the
descriptors and tokens for everything except process 0 -- the System
Idle Process -- which doesn't have any.

- GH
 
Back
Top