List current user processes

[Ghirai]

Hey,

Is there a way to list running processes only from the currently logged on user (not all processes running on the system)?

[savage]

Yeah, CTRL-ALT-DEL   :lol

[Ghirai]

If i wanted that answer i would have posted on a windows support forum, and not on a programming board ::)

[Ossa]

OK... I've never done this, but from a quick browse through the Win32 Programmer's Reference, the only way that I can see is:

Get a list of all the processes... this is done using the CreateToolhelp32Snapshot, Process32First and Process32Next functions from the ToolHelp32 API.

For each process, get its handle (you have the ID from the bit above, but I've forgotten how to get from a process ID to process handle). Use the handle with the OpenProcessToken function to get its token then use GetTokenInformation to get the SID of the user... and use THIS to get the user using the LookupAccountSid function. Compare this user to the one got from GetUserName.

wow... there really must be a better way. I don't even know if that will work, but I know of no other functions that enable you to get the user assosciated with a process.

Hope it helps (and I hope someone else comes up with a more "correct" method),
Ossa

[zcoder]

Ghirai,
This code is taken from one of my projects, the list view handle it assumed to be a listview that
has a imagelist from the system. But you can tweek the code to work in your app.

Code Select Expand



ShowProcess proc hListview:DWORD

        LOCAL hSnapshot   :DWORD
        LOCAL sfi                             :SHFILEINFO 
        LOCAL lvi                             :LV_ITEM
        LOCAL hitem                        :DWORD
        LOCAL szFullPath[MAX_PATH] :BYTE
     
     mov [hitem],0
     invoke SendMessage,hListview,LVM_DELETEALLITEMS,0,0
     mov lvi.imask,LVIF_TEXT or LVIF_IMAGE or LVIF_PARAM
     mov lvi.cchTextMax,MAX_PATH
     mov lvi.iSubItem,0
     mov dword ptr[uProcess.cntUsage],1
     mov [uProcess.dwSize],sizeof uProcess
     invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0 ;TH32CS_SNAPALL ,0
     mov [hSnapshot],eax
     invoke Process32First,eax,addr uProcess
     push eax
     invoke lstrcpy,addr szFullPath,addr uProcess.szExeFile
     pop eax
     .while eax != 0
            invoke SHGetFileInfo,addr szFullPath,0,addr sfi,sizeof SHFILEINFO,SHGFI_DISPLAYNAME or SHGFI_ICON or SHGFI_SYSICONINDEX or SHGFI_LARGEICON
            lea eax,sfi.szDisplayName
            mov lvi.pszText,eax
            mov eax,hitem
            mov lvi.iItem,eax
            mov eax,sfi.iIcon
            mov lvi.iImage,eax
            m2m lvi.lParam,[uProcess.th32ProcessID]
            invoke SendMessage,hListview,LVM_INSERTITEM,NULL,addr lvi
            inc hitem
            invoke Process32Next,[hSnapshot],addr uProcess
            push eax
            invoke lstrcpy,addr szFullPath,addr uProcess.szExeFile
            pop eax
     .endw
     invoke CloseHandle,[hSnapshot]
     ret
ShowProcess endp



Zcoder....

[six_L]

hey,Ghirai
the FASM code is written by comrade.

if you list running processes only from the currently logged on user, need to modify more.

[attachment deleted by admin]

[white scorpion]

http://www.white-scorpion.nl/programs/prokill_v2.2.zip

source included.
It's a commandline processviewer / killer that i have written a while ago.

[Ossa]

Erm... I think the difficulty is finding which user a process belongs to.

I am interested to see (1) if my method works (I will test it tomorrow, but I have to finish my work right now) and (2) if anyone comes up with a better method of finding which user owns a process. Does anyone know how to do that?

Ossa

[edit] Sorry, I was a bit rude there [/edit]

[white scorpion]

GetUserObjectSecurity
with 2nd argument OWNER_SECURITY_INFORMATION.

That should be the trick. Haven't got the time to try, but i doubt it is difficult.

[Ghirai]

Thanks for the replies guys :U

[Ossa]

Well, I finished my report a bit early, so I cooked up a little example that uses the method I described in my first post. I don't know if White Scorpion's method would work as I didn't test it (and if it did, it's only 1 less function call).

Although my example doesn't do exactly what was asked for (to display ONLY the current user's processes), it does get the current user and state which user each process belongs to. You can just compare the strings to make it behave as desired.

Have fun,
Ossa

[edit]

Thought I'd just add some things:

• It is isn't commented especially well, as I cooked it up as a test (test.asm is a file that continually gets its contents changed onmy PC)
• It does do quite a bit of error checking (I had problems with various function calls), so the code is very expanded

I'm sure there was something else... ah yes, the GetTokenInformation function calls. Great fun here... I wanted to simply get the TOKEN_USER structure (8 bytes), so I (incorrectly) assumed that the function would put 8 bytes in the buffer I specified. Was it that simple? Ohhhh no. It writes between 20 and 36 bytes (from what I observed - it changes with each call). Therefore there are 2 calls to GetTokenInformation - the first to get the needed buffer size, the second to get the data. The TOKEN_USER structure is aligned to the beginning of the buffer, so you can use the allocated memory pointer as a pointer to the TOKEN_USER structure.

Finally, if you want to see failed attempts to get the data as well as ones that succeeeded, uncomment the EQU near the top.

In order to get rid of these errors, I think you will probably have to increase the program's permissions (I think White Scorpion has an example of that in his code).

(Just had a closer look at White Scorpion's suggestion and I'm not too sure that it provides the info you want)

[/edit]

[attachment deleted by admin]

[white scorpion]

I think White Scorpion has an example of that in his code

True, you can just copy and paste the AddDebugPrivileges function if you want.
(btw, adding debug privileges by default only works for an administrator, if you want a normal user to do below technique i think you should just skip the processes you can't open.(they aren't his anyway)).

Just had a closer look at White Scorpion's suggestion and I'm not too sure that it provides the info you want

It should since everything on a windows system is seen as an object, but i think your method is more easier to understand and to follow.

For comparing to current user i would suggest:

do the LookupAccountSid for the current process, save SID. Then do a LookupAccountSid for every process and only display the processes that match SID's.
you could lstrcmp usernames as well, but i think this is more secure.

[Ossa]

Just had a closer look at White Scorpion's suggestion and I'm not too sure that it provides the info you want

It should since everything on a windows system is seen as an object, but i think your method is more easier to understand and to follow.

The reason that I say that was because the function uses a security descriptor as both an input and output... therefore it doesn't really take you any closer to your goal. On this topic though, I am very fuzzy, because before my first post in this thread I had never heard of a SID. Therefore, I might well be wrong here.

For comparing to current user i would suggest:

do the LookupAccountSid for the current process, save SID. Then do a LookupAccountSid for every process and only display the processes that match SID's.
you could lstrcmp usernames as well, but i think this is more secure.

The SID is used by LookupAccountSid, not retrieved by it. What I think you meant to say was either:

Use LookupAccountName to get the SID of the current user.

or

Use the massive long list of functions to get the current process' user SID, which is the current user SID.

and then

compare the SIDs directly rather than using LookupAccountSid.

Basically, whatever you do: READ THE DOCUMENTATION.

Ossa

[white scorpion]

The SID is used by LookupAccountSid, not retrieved by it. What I think you meant to say was either:

Use LookupAccountName to get the SID of the current user.

Well it doesn't matter. both ways will work.
You can use LookupAccountName to get the SID of the current user or you can use LookupAccountSid on the current process just like in your example and save the sid for comparing it with the other processes.
This was actually what i meant, but both methods should work.

[drizz]

Yeah, CTRL-ALT-DEL   :lol

:naughty:

CTRL-SHIFT-ESC
:P