14
votes

I'm trying to get a process name from its pid. User is running as Administrator, UAC enabled, not elevated.

Some system processes, like services.exe, have their security set up in such way that OpenProcess(PROCESS_QUERY_INFORMATION ... fails with ERROR_ACCESS_DENIED. Same result with PROCESS_QUERY_LIMITED_INFORMATION access right. However, I can see that Process Explorer can at least list all these processes, along with their pid and file name (when running as non-elevated Administrator).

My question is, how can I do the same (get file name from pid), given that non-elevated administrator cannot follow the usual route of OpenProcess() + GetProcessImageFileName()?

3

3 Answers

13
votes

Have you tried Process32First() and Process32Next() with a handle retrieved by CreateToolhelp32Snapshot()? It doesn't give you the full path but should at least let you get the file name.

5
votes

Have you tried PROCESS_QUERY_LIMITED_INFORMATION instead? It requests a lower level of access that can provide at least the name of the executable. It allows you to call QueryFullProcessImageName which provides the information you're looking for

5
votes

You can't open system processes (more precisely, processes running under another account - in this case user SYSTEM) without SE_DEBUG privilege enabled for your process. If you are running as admin, you can easily set the privilege: http://support.microsoft.com/kb/131065/en-us