Thread: how to Search for a certain service and a process in Windows

  1. #1
    Registered User
    Join Date
    Aug 2008
    Posts
    6

    how to Search for a certain service and a process in Windows

    Hi all,

    my goal is to write a program that searches for a service x in my system and a process y.

    for that i have few questions:
    1) Which is the better language to use (i am already working with java, i know
    c++ and c# but no clue about c anyway it's not a problem)
    2) How can it be done; i mean is there a sample peace of code to do it !!

    For me the topic is complicated ... maybe i am asking for a lot of things in one question...Guidance is appreciated.

    Thanks in advance

  2. #2
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    How do you know what process/service you are looking for? Generally, you would use the process and status API to find a process.

    Here's a sample that shows all processes:
    http://msdn.microsoft.com/en-us/libr...23(VS.85).aspx

    It probably makes very little difference what language you use, since most of the work is done in the kernel, and the rest would be some integer/string comparison - pretty lightweight work, so I would use whichever language you fancy that has the ability to do the work [that is, you can enumerate processes as per the above sample].

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  3. #3
    Banned master5001's Avatar
    Join Date
    Aug 2001
    Location
    Visalia, CA, USA
    Posts
    3,685
    Anyone can write this sort of program in C, but a true genious would go for it in PERL.

  4. #4
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058
    Code:
    use Win32::OLE qw( in );
    
    use constant wbemFlagReturnImmediately => 0x10;
    use constant wbemFlagForwardOnly => 0x20;
    
    my $objWMIService = Win32::OLE->GetObject("winmgmts:\\\\localhost\\root\\CIMV2") or die "WMI connection failed.\n";
    my $colItems = $objWMIService->ExecQuery("SELECT * FROM Win32_Process", "WQL",
    wbemFlagReturnImmediately | wbemFlagForwardOnly);
    
    foreach my $objItem (in $colItems) {
    	print "Caption: $objItem->{Caption}\n";
    }

  5. #5
    Registered User
    Join Date
    Aug 2008
    Posts
    6
    thanks guy for your replies.

    Well BobS0327 i could not undertand ur code.

    matsp : the sample is only to look for processes what about searching for services?
    master5001 : why Perl?
    Thanks guys i will try your tips and apply them

    As soon as there's Feedback i will share it with u

    Thanks again

  6. #6
    Registered User
    Join Date
    Dec 2007
    Posts
    2,675
    BobS was just showing us his true genius by doing it in Perl!

  7. #7
    Registered User
    Join Date
    Aug 2008
    Posts
    6
    OK guys

    I tried the code in the link http://msdn.microsoft.com/en-us/libr...23(VS.85).aspx
    and it is working but unfortunatly a lot of processes are <unkown> including the one i am looking for which is "javaw.exe". Is this issue related to my system or has to do with winapi??
    so how can i show the real name of every process.

    I have read the following :
    If OpenProcess fails, the output shows the process name as <unknown>. For example, OpenProcess fails for the Idle and CSRSS processes because their access restrictions prevent user-level code from opening them.

    So how can i edit java executable so that user level code can open it!!!!




    Beside that i want to know how can i display the running services or at least the registered ones!


    thanks in advance
    Last edited by daher; 09-01-2008 at 08:47 AM.

  8. #8
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058
    You have to elevate your privileges. I.e. set the debug privilge level. Add the following function to your code:

    Code:
    void EnableDebugPriv( void )
    {
        HANDLE hToken;
        LUID sedebugnameValue;
        TOKEN_PRIVILEGES tkp;
        OpenProcessToken( GetCurrentProcess(),
            TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken );
        LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue );
        tkp.PrivilegeCount = 1;
        tkp.Privileges[0].Luid = sedebugnameValue;
        tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL );
        CloseHandle( hToken );
    }
    And be sure EnableDebugPriv is the first function to be called in main.

  9. #9
    Registered User
    Join Date
    Aug 2008
    Posts
    6
    I have added this code.

    but still i am getting these unknown processes!!!

    i was told to run it as admin and i did and it did not work yet.

    so what's with this debug level; does it only work in debug mode???
    Is there any other solution?

    Brst Regards and Thanks for the replies

  10. #10
    Banned master5001's Avatar
    Join Date
    Aug 2001
    Location
    Visalia, CA, USA
    Posts
    3,685
    You are trying to do a dirty trick, why are you arguing with how it must be done? And yes, some processes are going to be mysterious. Just read through the programs as to how often people ask how to be one of these ellusive processes. That is how many services are running, how many mal-ware programs are running, and let us not forget viruses, virus scanners, device drivers and system modules. What are you specifically trying to do?

  11. #11
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058
    so what's with this debug level; does it only work in debug mode???
    Well, when you login to any system, you are given an access token. An access token contains privileges and security identifiers for a user, global group, or local group. The privileges regulate the use of some system services and the security identifiers regulate access to objects that are protected by access-control lists (ACLs). By default, the SE_DEBUG_NAME privilege is not enabled. Thus, you have to enable to get additional security privileges.

    Tokens are created by the Local Security Authority (lsass.exe), and allow the system to keep track of some information related to the process. The most important information a process token holds is the SID of the user account the process is running under. It also carries the list of SID's for groups the user is member of, and the privileges the user has been granted. All this allows the system to easily determine if the process (user) should be granted access to a protected resource. A protected resource in this case would be the processes you are trying to enumerate.

    You should be logged in as an Admin in order to enable SE_DEBUG_NAME privileges.

    I've tried this code under Win2K, XP Home, XP Pro and Vista Enterprise. It only fails under Vista. So, I'll assume your problem is Vista, specifically the security features of Vista. I have no real Vista experience. Thus, I'm of no help to you.

  12. #12
    Registered User
    Join Date
    Aug 2008
    Posts
    6
    yes i am using vista

    thanks anyway for the explanation.

    I have tried the following code under vista and it's working..Just want to share it for the benefit of otherss:
    Code:
    #include "stdafx.h"
    #include <Psapi.h>
    #include <atlbase.h>
    #include <iostream>
    #include <cstdlib>
    #include "main.h"
    #include <windows.h>
    #include <tchar.h>
    #define PROC_NAME "process name you are looking for"
    
    void main( )
    {
    	while(true){
    		WCHAR name[20];
    		ctow(name,PROC_NAME);
    		unsigned long gwID    = GetTargetProcessIdFromProcname(name);
    		if (gwID >0){
    			//printf("found &#37;s, pid: %d",PROC_NAME, gwID);
    		}
    		else{
    			printf("not found");
    			//std::system("Gadget_Server_V1.27.333.exe");
    			Sleep(10000);
    		}
    	}
    }
    unsigned long GetTargetProcessIdFromProcname(WCHAR *procName)
    {
       PROCESSENTRY32 pe = {0};
       HANDLE thSnapshot = {0};
       BOOL retval = false;
    
       // Try to create a toolhelp snapshot and verify that it was actually created
       thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        if(thSnapshot == INVALID_HANDLE_VALUE)
       {
          printf("error");
          return 0;
       }
    
       // Need to have this set for the WinAPI structures
       pe.dwSize = sizeof(PROCESSENTRY32);
    
       // Try to get the first process
        retval = Process32First(thSnapshot, &pe);
    
       // While we have processes to go through
       while(retval)
       {
    	   char buff[100];
    	   wtoc(buff,pe.szExeFile);
    	   //strcpy(buff, pe.szExeFile);
    	   //printf("exe: %s PID: %d\n",buff, pe.th32ProcessID);
          // As soon as we find the process id, return it
          if(StrStrI(procName,pe.szExeFile))
          {
             return pe.th32ProcessID;
          }
    
          // Otherwise, get try to get the next process
          retval = Process32Next(thSnapshot,&pe);
       }
    
       // If we get here, no process ID was found, so return no
       // process ID instead of the last process found.
       return 0; 
    }

Popular pages Recent additions subscribe to a feed

Tags for this Thread