Thema: In welchem Pfad läuft ein Prozess?

Einzelnen Beitrag anzeigen

HolgerX

Registriert seit: 10. Apr 2006
Ort: Leverkusen
972 Beiträge
 
Delphi 6 Professional
 
#29

AW: In welchem Pfad läuft ein Prozess?

  Alt 26. Okt 2018, 18:56
Hmm..

Könnte es sein, das deine EXE etwas im Namen, wie Setup/Install.. enthält, oder etwas, was Windows dazu bewegt die UNC Frage zu stellen?

Dann wird dieser Process wohl als protected processes eingestuft.


https://docs.microsoft.com/en-us/win...-access-rights

Zitat:
Protected Processes
Windows Vista introduces protected processes to enhance support for Digital Rights Management. The system restricts access to protected processes and the threads of protected processes.

The following standard access rights are not allowed from a process to a protected process:

**DELETE** **READ\_CONTROL** **WRITE\_DAC** **WRITE\_OWNER**
The following specific access rights are not allowed from a process to a protected process:

**PROCESS\_ALL\_ACCESS** **PROCESS\_CREATE\_PROCESS** **PROCESS\_CREATE\_THREAD** **PROCESS\_DUP\_HANDLE** **PROCESS\_QUERY\_INFORMATION** **PROCESS\_SET\_INFORMATION** **PROCESS\_SET\_QUOTA** **PROCESS\_VM\_OPERATION** **PROCESS\_VM\_READ** **PROCESS\_VM\_WRITE**
The PROCESS_QUERY_LIMITED_INFORMATION right was introduced to provide access to a subset of the information available through PROCESS_QUERY_INFORMATION.

Für GetModuleFileNameEx wird 'PROCESS_QUERY_INFORMATION and PROCESS_VM_READ' benötigt, jedoch für QueryFullProcessImageName nur mindestens PROCESS_QUERY_LIMITED_INFORMATION.

Ich habe mal die Funktion PidToFilename umgeschrieben, so dass ab Vista nicht mehr GetModuleFileNameEx sondern immer QueryFullProcessImageName mit den reduzierten Rechten von PROCESS_QUERY_LIMITED_INFORMATION verwendet wird..


zusammenfalten · markieren
Delphi-Quellcode:
const
  PROCESS_QUERY_LIMITED_INFORMATION = $1000;

function PidToFilename(const TargetPID: THandle): WideString;
type
  TQueryFullProcessImageNameW = function(hProcess: THandle; dwFlags: DWORD; lpExeName: PWideChar; nSize: PDWORD): BOOL; stdcall;
var
  hProcess: THandle;
  TargetName: WideString;
  QueryFullProcessImageNameW: TQueryFullProcessImageNameW;
  nSize: cardinal;
begin
  Result := '';
  nSize := MAX_PATH;
  SetLength(TargetName, nSize);
  if Win32MajorVersion >= 6 then begin
    hProcess := OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, false, TargetPID);
    if hProcess <> 0 then begin
      try
        @QueryFullProcessImageNameW := GetProcAddress(GetModuleHandle('kernel32'), 'QueryFullProcessImageNameW');
        if Assigned(QueryFullProcessImageNameW) then
          if QueryFullProcessImageNameW(hProcess, 0, PWideChar(TargetName), @nSize) then
            Result := PWideChar(TargetName);
      finally
        CloseHandle(hProcess);
      end;
    end;
  end else begin
    hProcess := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, false, TargetPID);
    if hProcess <> 0 then
      try
        if GetModuleFileNameExW(hProcess, 0, PWideChar(TargetName), nSize) <> 0 then
          Result := PWideChar(TargetName);
    finally
      CloseHandle(hProcess);
    end;
  end;
end;
  Mit Zitat antworten Zitat