tags:

views:

480

answers:

1
+2  Q: 

OpenProcess on x64 images from Win32 app

This is weird. Earlier, running Windows 7 x64, I had trouble calling the Win32 OpenProcess against 64-bit processes. Googled around a bit, and came to the sinking conclusion this just wasn't gonna happen.

Then a funny thing happened. I tried it against the process ID for explorer.exe, and holy carp, it worked! Started throwing other process IDs at it, and it's just a darned crapshoot.

As it turns out, I can call OpenProcess against a good number of x64 processes -- explorer, itype, ipoint, taskhost, cmd, mstsc, ..., etc.

And others pop a 5 (Access is denied) -- winlogon, csrss, services, svchost, mdm, ...

I'm confirming the "bitness" and process ID using Process Explorer. Plus, calling GetModuleFileNameEx on 64-bit processes always fails, so that offers a double-check for 32/64.

This is the code:

' Get a handle to the process.
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, ProcessID)
If hProcess Then
   ' Grab the filename for base module.
   nChars = GetModuleFileNameEx(hProcess, 0, Buffer, Len(Buffer))
   ' If running in x64, http://winprogger.com/?p=26
   If Err.LastDllError = ERROR_PARTIAL_COPY Then
      nChars = GetProcessImageFileName(hProcess, Buffer, Len(Buffer))
   End If
   ' Truncate and return buffer.
   If nChars Then
      GetProcessFileName = Left$(Buffer, nChars)
   End If
   Call CloseHandle(hProcess)
Else
   Debug.Print "LastDllError:"; Err.LastDllError
End If

Nothing fancy. Just want to query the processes for things like filename or process times. Anyone have any idea what differentiates between the ones I can open and the ones I can't?

Extra info: Running process as administrator. UAC turned off. Yes, it's a 32-bit app. I have had no better results using PROCESS_QUERY_LIMITED_INFORMATION.

Thanks... Karl

+2  A: 

The processes that you cited (winlogon, csrss, etc.) are critical system processes and services. They run under a different, privileged account. Even though you are running as administrator, you are not the owner of those processes and hence you are not granted any rights in their ACL. Attempting to open will result in access denied.

However, members of the administrators group do have SeDebugPrivilege. This is basically an override on OpenProcess and OpenThread that will allow you to open for all access, even if you are not granted any permission in the ACL.

SeDebugPrivilege is obviously a very dangerous privilege to have - you can bypass access checks and modify/inspect other user's processes. While it is present in an administrators's token by default, it is not enabled by default. You need to enable this privilege before calling OpenProcess.

This MSDN article gives sample code on how to enable and disable privileges in your token.

Michael  2010-02-19 00:43:35
Ouch. Yeah, that was it, alright. That enabled GetProcessTimes times as well. I see Process Explorer is running with that setting, too. So, if I were to run that under a least-priv'd user account, it couldn't be doing this either?Anyway, thanks! :-)
Karl E. Peterson  2010-02-19 02:23:27
Few groups have SeDebugPrivilege by default, basically just SYSTEM and the administrators group. Least privileged users definitely don't. If they did, elevating to full privilege would be trivial since you can inject code you want to run into a privileged process.
Michael  2010-02-20 00:36:25

related questions

How to read a value from the Windows registry
CreateProcessAsUser vs ShellExecute
How do you configure an OpenFileDIalog to select folders?
Is there anything similar to the OS X InputManager on Windows?
So what am I missing with this here WPF?
How to convert std::string to LPCWSTR in C++ (Unicode)
Notification of drop in drag-drop in Windows
Find out which process has an exclusive lock on a USB device handle
What's an alternative to GWL_USERDATA for storing an object pointer?
FlashWindowEx FLASHW_STOP still keeps taskbar colored
Getting UI text from external app in C#
Sending a mouse click to a button in the taskbar using C#
Suitable alternative to CryptEncrypt
Is FindFirstChangeNotification the best API to use for file system change notification on windows?
What is the easiest way to parse an INI File in C++?
_wfopen equivalent under Mac OS X
Validating a Win32 Window Handle
Get list of domains on the network
Does it still make sense to learn low level WinAPI programming?
How do you create your own moniker (URL Protocol) on Windows systems?
Where is a good place to start programming GUIs for windows?
Bringing Window to the Front in C# using Win32 API
How can you tell when a user last pressed a key (or moved the mouse)?
Can a windows dll retrieve its own filename?
Wiggling the mouse using C#