who created a process?

  • Thread starter Thread starter Strahimir Antoljak
  • Start date Start date
S

Strahimir Antoljak

Is there a way to find out the name
of the user who created a process.
Some kind of process property or method
that would report the user name how launched
it?
(but not Environment.UserName)

Thanks,
 
Strahimir Antoljak wrote:
|| Is there a way to find out the name
|| of the user who created a process.
|| Some kind of process property or method
|| that would report the user name how launched
|| it?
|| (but not Environment.UserName)
||
|| Thanks,
||
|| --
|| Strah

There is no support for this in the FCL.
Your only option is to PInvoke (or MC++)
1. call the Win32 'OpenProcessToken' Win32 API using the 'Process.Handle' property as the first argument
2. use the tokenHandle returned to call WindowsIdentity(tokenHandle)
3. WindowsIdentity.Name should contain the process owner.
4. Close the tokenHandle using the 'CloseHandle' Win32 API.

Note that you will need special privileges to call OpenProcessToken, consult the SDK docs for details.
Willy.
 
Willy Denoyette said:
Strahimir Antoljak wrote:
|| Is there a way to find out the name
|| of the user who created a process.
|| Some kind of process property or method
|| that would report the user name how launched
|| it?
|| (but not Environment.UserName)
||
|| Thanks,
||
|| --
|| Strah

There is no support for this in the FCL.
Your only option is to PInvoke (or MC++)
1. call the Win32 'OpenProcessToken' Win32 API using the 'Process.Handle' property as the first argument
2. use the tokenHandle returned to call WindowsIdentity(tokenHandle)
3. WindowsIdentity.Name should contain the process owner.
4. Close the tokenHandle using the 'CloseHandle' Win32 API.

Note that you will need special privileges to call OpenProcessToken,
Click to expand...
consult the SDK docs for details.
Willy.
Click to expand...
Yikes. Sounds scarry.

Anyway there is a performance counter that will tell you this. It is slow,
since the instances are identified by name, so you have to iterate all the
Process counter instances, but it's probably fast enough for some purposes.
Eg to determine if a application has been started as a service or not.


Function GetCreatingProcessID(ByVal processID As Integer) As Integer
Dim creatingProcess As Integer
Dim cat As New System.Diagnostics.PerformanceCounterCategory("Process")
Dim instance As String
For Each instance In cat.GetInstanceNames()
Dim pid As New System.Diagnostics.PerformanceCounter("Process", "ID
Process", instance, True)
If pid.RawValue = processID Then
Dim creator As New System.Diagnostics.PerformanceCounter("Process",
"Creating Process ID", instance, True)
creatingProcess = creator.RawValue
pid.Dispose()
creator.Dispose()
Return creatingProcess
End If
pid.Dispose()
Next
Throw New Exception("Process " & processID.ToString & " not found")
End Function

David
 
David,

I needed a user name (logon name) who created
a process, and this gives me some integer???
thanks
 
David Browne wrote:
|| ||| Strahimir Antoljak wrote:
||||| Is there a way to find out the name
||||| of the user who created a process.
||||| Some kind of process property or method
||||| that would report the user name how launched
||||| it?
||||| (but not Environment.UserName)
|||||
||||| Thanks,
|||||
||||| --
||||| Strah
|||
||| There is no support for this in the FCL.
||| Your only option is to PInvoke (or MC++)
||| 1. call the Win32 'OpenProcessToken' Win32 API using the
||| 'Process.Handle' property as the first argument
||| 2. use the tokenHandle returned to call WindowsIdentity(tokenHandle)
||| 3. WindowsIdentity.Name should contain the process owner.
||| 4. Close the tokenHandle using the 'CloseHandle' Win32 API.
|||
||| Note that you will need special privileges to call OpenProcessToken,
|| consult the SDK docs for details.
||| Willy.
|||
|| Yikes. Sounds scarry.
||

Yes, it is :-), another option is to use the System.Management (WMI) namespace.

|| Anyway there is a performance counter that will tell you this. It


No, it's not, OP asked for the user principal name of the creator of the process.

Here is how to do it in (C#)

using System;
using System.Text;
using System.Runtime.InteropServices;
using System.Security.Permissions;
using System.Security.Principal;
using System.Diagnostics;
using System.Security;
// Problem: proc.Handle property returns Access denied for 'idle' process and,
// Cannot OpenProcessToken() for NT AUTHORITY\NETWORK SERVICE and NT AUTHORITY\LOCAL SYSTEM
// Better use - WTSEnumerateProcesses on XP and higher
//

using HANDLE = System.IntPtr;
class IdentUser {

[DllImport("advapi32", SetLastError=true), SuppressUnmanagedCodeSecurityAttribute]
static extern int OpenProcessToken(
HANDLE ProcessHandle, // handle to process
int DesiredAccess, // desired access to process
ref IntPtr TokenHandle // handle to open access token
);

[DllImport("kernel32", SetLastError=true), SuppressUnmanagedCodeSecurityAttribute]
static extern bool CloseHandle(HANDLE handle);

public const int TOKEN_QUERY = 0X00000008;


public static void Main() {

Process[] _process = Process.GetProcesses();
foreach(Process proc in _process)
{
try {
Console.WriteLine("Process Name :{0} \tProcess ID : {1} ",

proc.ProcessName, proc.Id);

DumpPrincipalName(proc.Handle);
Console.WriteLine("--------------------------------------------------");
}
catch(Exception ex)
{Console.WriteLine("Exception: {0}", ex.Message);}
}
}


static void DumpPrincipalName(HANDLE processHandle)
{
int access = TOKEN_QUERY;
HANDLE tokenHandle = IntPtr.Zero;
if ( 0 != OpenProcessToken( processHandle, access, ref tokenHandle ) )
{
WindowsIdentity wi = new WindowsIdentity(tokenHandle);
Console.WriteLine(wi.Name);
CloseHandle(tokenHandle); // Close process token
}
else
Console.WriteLine("Error OpenProcessToken: {0}",Marshal.GetLastWin32Error());
}

}
 
Back
Top