who created a process?  
Author Message
$TOM





PostPosted: Thu Aug 14 10:27:19 CDT 2003 Top

Net Framework >> who created a process?

Is there a way to find out the name
of the user who created a process.
Some kind of process property or method
that would report the user name how launched
it?
(but not Environment.UserName)

Thanks,

--
Strah

DotNet29  
 
 
Willy





PostPosted: Thu Aug 14 10:27:19 CDT 2003 Top

Net Framework >> who created a process?
|| Is there a way to find out the name
|| of the user who created a process.
|| Some kind of process property or method
|| that would report the user name how launched
|| it?
|| (but not Environment.UserName)
||
|| Thanks,
||
|| --
|| Strah

There is no support for this in the FCL.
Your only option is to PInvoke (or MC++)
1. call the Win32 'OpenProcessToken' Win32 API using the 'Process.Handle' property as the first argument
2. use the tokenHandle returned to call WindowsIdentity(tokenHandle)
3. WindowsIdentity.Name should contain the process owner.
4. Close the tokenHandle using the 'CloseHandle' Win32 API.

Note that you will need special privileges to call OpenProcessToken, consult the SDK docs for details.
Willy.


 
 
David





PostPosted: Thu Aug 14 11:04:23 CDT 2003 Top

Net Framework >> who created a process?



> || Is there a way to find out the name
> || of the user who created a process.
> || Some kind of process property or method
> || that would report the user name how launched
> || it?
> || (but not Environment.UserName)
> ||
> || Thanks,
> ||
> || --
> || Strah
>
> There is no support for this in the FCL.
> Your only option is to PInvoke (or MC++)
> 1. call the Win32 'OpenProcessToken' Win32 API using the 'Process.Handle'
property as the first argument
> 2. use the tokenHandle returned to call WindowsIdentity(tokenHandle)
> 3. WindowsIdentity.Name should contain the process owner.
> 4. Close the tokenHandle using the 'CloseHandle' Win32 API.
>
> Note that you will need special privileges to call OpenProcessToken,
consult the SDK docs for details.
> Willy.
>
Yikes. Sounds scarry.

Anyway there is a performance counter that will tell you this. It is slow,
since the instances are identified by name, so you have to iterate all the
Process counter instances, but it's probably fast enough for some purposes.
Eg to determine if a application has been started as a service or not.


Function GetCreatingProcessID(ByVal processID As Integer) As Integer
Dim creatingProcess As Integer
Dim cat As New System.Diagnostics.PerformanceCounterCategory("Process")
Dim instance As String
For Each instance In cat.GetInstanceNames()
Dim pid As New System.Diagnostics.PerformanceCounter("Process", "ID
Process", instance, True)
If pid.RawValue = processID Then
Dim creator As New System.Diagnostics.PerformanceCounter("Process",
"Creating Process ID", instance, True)
creatingProcess = creator.RawValue
pid.Dispose()
creator.Dispose()
Return creatingProcess
End If
pid.Dispose()
Next
Throw New Exception("Process " & processID.ToString & " not found")
End Function

David


 
 
Strahimir





PostPosted: Thu Aug 14 12:29:26 CDT 2003 Top

Net Framework >> who created a process? David,

I needed a user name (logon name) who created
a process, and this gives me some integer???
thanks

--
Strah



>



> > || Is there a way to find out the name
> > || of the user who created a process.
> > || Some kind of process property or method
> > || that would report the user name how launched
> > || it?
> > || (but not Environment.UserName)
> > ||
> > || Thanks,
> > ||
> > || --
> > || Strah
> >
> > There is no support for this in the FCL.
> > Your only option is to PInvoke (or MC++)
> > 1. call the Win32 'OpenProcessToken' Win32 API using the
'Process.Handle'
> property as the first argument
> > 2. use the tokenHandle returned to call WindowsIdentity(tokenHandle)
> > 3. WindowsIdentity.Name should contain the process owner.
> > 4. Close the tokenHandle using the 'CloseHandle' Win32 API.
> >
> > Note that you will need special privileges to call OpenProcessToken,
> consult the SDK docs for details.
> > Willy.
> >
> Yikes. Sounds scarry.
>
> Anyway there is a performance counter that will tell you this. It is
slow,
> since the instances are identified by name, so you have to iterate all the
> Process counter instances, but it's probably fast enough for some
purposes.
> Eg to determine if a application has been started as a service or not.
>
>
> Function GetCreatingProcessID(ByVal processID As Integer) As Integer
> Dim creatingProcess As Integer
> Dim cat As New
System.Diagnostics.PerformanceCounterCategory("Process")
> Dim instance As String
> For Each instance In cat.GetInstanceNames()
> Dim pid As New System.Diagnostics.PerformanceCounter("Process", "ID
> Process", instance, True)
> If pid.RawValue = processID Then
> Dim creator As New
System.Diagnostics.PerformanceCounter("Process",
> "Creating Process ID", instance, True)
> creatingProcess = creator.RawValue
> pid.Dispose()
> creator.Dispose()
> Return creatingProcess
> End If
> pid.Dispose()
> Next
> Throw New Exception("Process " & processID.ToString & " not found")
> End Function
>
> David
>
>


 
 
Willy





PostPosted: Thu Aug 14 14:17:25 CDT 2003 Top

Net Framework >> who created a process?



||||| Is there a way to find out the name
||||| of the user who created a process.
||||| Some kind of process property or method
||||| that would report the user name how launched
||||| it?
||||| (but not Environment.UserName)
|||||
||||| Thanks,
|||||
||||| --
||||| Strah
|||
||| There is no support for this in the FCL.
||| Your only option is to PInvoke (or MC++)
||| 1. call the Win32 'OpenProcessToken' Win32 API using the
||| 'Process.Handle' property as the first argument
||| 2. use the tokenHandle returned to call WindowsIdentity(tokenHandle)
||| 3. WindowsIdentity.Name should contain the process owner.
||| 4. Close the tokenHandle using the 'CloseHandle' Win32 API.
|||
||| Note that you will need special privileges to call OpenProcessToken,
|| consult the SDK docs for details.
||| Willy.
|||
|| Yikes. Sounds scarry.
||

Yes, it is :-), another option is to use the System.Management (WMI) namespace.

|| Anyway there is a performance counter that will tell you this. It


No, it's not, OP asked for the user principal name of the creator of the process.

Here is how to do it in (C#)

using System;
using System.Text;
using System.Runtime.InteropServices;
using System.Security.Permissions;
using System.Security.Principal;
using System.Diagnostics;
using System.Security;
// Problem: proc.Handle property returns Access denied for 'idle' process and,
// Cannot OpenProcessToken() for NT AUTHORITY\NETWORK SERVICE and NT AUTHORITY\LOCAL SYSTEM
// Better use - WTSEnumerateProcesses on XP and higher
//

using HANDLE = System.IntPtr;
class IdentUser {

[DllImport("advapi32", SetLastError=true), SuppressUnmanagedCodeSecurityAttribute]
static extern int OpenProcessToken(
HANDLE ProcessHandle, // handle to process
int DesiredAccess, // desired access to process
ref IntPtr TokenHandle // handle to open access token
);

[DllImport("kernel32", SetLastError=true), SuppressUnmanagedCodeSecurityAttribute]
static extern bool CloseHandle(HANDLE handle);

public const int TOKEN_QUERY = 0X00000008;


public static void Main() {

Process[] _process = Process.GetProcesses();
foreach(Process proc in _process)
{
try {
Console.WriteLine("Process Name :{0} \tProcess ID : {1} ",

proc.ProcessName, proc.Id);

DumpPrincipalName(proc.Handle);
Console.WriteLine("--------------------------------------------------");
}
catch(Exception ex)
{Console.WriteLine("Exception: {0}", ex.Message);}
}
}


static void DumpPrincipalName(HANDLE processHandle)
{
int access = TOKEN_QUERY;
HANDLE tokenHandle = IntPtr.Zero;
if ( 0 != OpenProcessToken( processHandle, access, ref tokenHandle ) )
{
WindowsIdentity wi = new WindowsIdentity(tokenHandle);
Console.WriteLine(wi.Name);
CloseHandle(tokenHandle); // Close process token
}
else
Console.WriteLine("Error OpenProcessToken: {0}",Marshal.GetLastWin32Error());
}

}