Getting Process information
Paul Gallagher
Hi Yall,
I've been attempting to get process information (other processes, not
mine) but have run into a couple of brick walls. I'm using Delphi, but
these are just a couple of plain Win32 API questions....
1. I haven't discovered a way to enumerate processes, so what I'm
currently doing is using 'OpenProcess' with PID 0,1,2,3 ... etc to see
what I can find. There's got to be a better way! (Is there?)
2. Problem with (1) is that I don't know when to stop! My PID is not
necessarily going to be the highest, and I'll be buggered if I can
find a way of finding out what the highest PID is.
3. Another problem with this approach is that it doesn't seem possible
to access service and system processes by this mechanism.
4. Once I've got the process handle, I can get some info about memory
usage, times etc - but not the process "name" (executable program).
5. There's a mysterious function "NtQuerySystemInformation" which
might provide some assistance. But does anyone know anything about it?
All of these things must be possible (pstat and pviewer do it!), but I
get the feeling I'm missing some key information that's either
undocumented or found in some obscure reference or Microsoft Press
book.
I have thought about using CreateRemoteThread to get a thread inside
the process to then extract info - but this sounds far to hairy and
must be the wrong way.
I guess the main problem is that I'm working from the Win32 API
reference, the incomplete Win32 "headers" shipped with Delphi (the
remainder made of my own pascal port of the Win headers from VC++). If
operating system APIs were only documented properly, then we all might
get to bed before midnight;-)
I'd love to be enlightened - even if all you can suggest is a good
Win32/NT book that delves to these depths!
* Paul Gallagher
* pau...@ozemail.com.au
* http://www.ozemail.com.au/~paulpg/
Bret Pehrson
[text follows]
Welcome to the world of incompatibilities: Getting the information you
desire is going to be different between Win95 and WinNT.
Under Win95, there are some new 'toolhelp32' APIs that allow you to get
process information (see Process32First and buddies)
Under WinNT, you must query the registry 'performance counters.' This
is a convluted mess that is less than fun to play with. You can
disassemble the PVIEW sample app, or read Matt Pietrek in his 'Under the
Hood' column in MSJ. Several issues ago (don't remember which ones), he
covered this type of stuff and provided some sample code. He has also
covered the new toolhelp32 APIs in his column as well.
--
Bret Pehrson mailto:Br...@strata3d.com
*Please carbon-copy all responses to newsgroup
--
Brad Stowers
pau...@ozemail.com.au (Paul Gallagher) wrote:
>1. I haven't discovered a way to enumerate processes, so what I'm
>currently doing is using 'OpenProcess' with PID 0,1,2,3 ... etc to see
>what I can find. There's got to be a better way! (Is there?)
You need the ToolHelp32 procedures, as Bret pointed out. I have included
below a unit that I did to get access to them in Win95. I know that these
functions aren't available in NT 3.5x, but don't know if they have been
added to NT 4.0. Bret could probably better answer that since he seems to
know much more about NT than I (my dog knows almost as much about it as I
do...). :)
Anyway, here's the import unit. It should really be rewritten so that it
loads the procedures dynamically (GetProcAddress), so that it could exit a
bit more gracefully on NT, but I'm lazy.
// NOTE!!! This only works on Win95. NT 3.5x does not provide these
// functions in Kernel32.dll (or anywhere as far as I know). I do not
// know about NT 4.0, you are on your own there.
unit ToolHelp32;
interface
uses Windows;
const
MAX_MODULE_NAME32 = 255;
function CreateToolhelp32Snapshot(dwFlags, th32ProcessID: DWORD): THandle;
stdcall;
//
// The th32ProcessID argument is only used if TH32CS_SNAPHEAPLIST or
// TH32CS_SNAPMODULE is specified. th32ProcessID == 0 means the current
// process.
//
// NOTE that all of the snapshots are global except for the heap and module
// lists which are process specific. To enumerate the heap or module
// state for all WIN32 processes call with TH32CS_SNAPALL and the
// current process. Then for each process in the TH32CS_SNAPPROCESS
// list that isn't the current process, do a call with just
// TH32CS_SNAPHEAPLIST and/or TH32CS_SNAPMODULE.
//
// dwFlags
//
const
TH32CS_SNAPHEAPLIST = $00000001;
TH32CS_SNAPPROCESS = $00000002;
TH32CS_SNAPTHREAD = $00000004;
TH32CS_SNAPMODULE = $00000008;
TH32CS_SNAPALL = TH32CS_SNAPHEAPLIST or TH32CS_SNAPPROCESS or
TH32CS_SNAPTHREAD or TH32CS_SNAPMODULE;
TH32CS_INHERIT = $80000000;
//
// Use CloseHandle to destroy the snapshot
//
(****** heap walking ***************************************************)
type
PHEAPLIST32 = ^THEAPLIST32;
THEAPLIST32 = packed record
dwSize,
th32ProcessID, // owning process
th32HeapID, // heap (in owning process's context!)
dwFlags: DWORD;
end;
//
// dwFlags
//
const
HF32_DEFAULT = 1; // process's default heap
HF32_SHARED = 2; // is shared heap
function Heap32ListFirst(hSnapshot: THandle; const lphl: THEAPLIST32):
boolean; stdcall;
function Heap32ListNext(hSnapshot: THandle; const lphl: THEAPLIST32):
boolean; stdcall;
type
PHEAPENTRY32 = ^THEAPENTRY32;
THEAPENTRY32 = packed record
dwSize: DWORD;
hHandle: THandle; // Handle of this heap block
dwAddress, // Linear address of start of block
dwBlockSize, // Size of block in bytes
dwFlags,
dwLockCount,
dwResvd,
th32ProcessID, // owning process
th32HeapID: DWORD;// heap block is in
end;
//
// dwFlags
//
const
LF32_FIXED = $00000001;
LF32_FREE = $00000002;
LF32_MOVEABLE = $00000004;
function Heap32First(const lphe: THEAPENTRY32; th32ProcessID, th32HeapID:
DWORD): boolean; stdcall;
function Heap32Next(const lphe: THEAPENTRY32): boolean; stdcall;
function Toolhelp32ReadProcessMemory(th32ProcessID: DWORD;
lpBaseAddress, lpBuffer: pointer;
cbRead: DWORD;
lpNumberOfBytesRead: PDWORD): boolean;
stdcall;
(***** Process walking *************************************************)
Article Unavailable
Brad Choate
>I've been attempting to get process information (other processes, not
>mine) but have run into a couple of brick walls. I'm using Delphi, but
>these are just a couple of plain Win32 API questions....
Well, this program is just for Windows '95, but comes with source that
should be of use to you:
"MonSys Monitors Windows '95" by Neil J. Rubenking
http://www.pcmag.com/issues/1517/pcmg0032.htm
HTH,
Brad
Brad Choate <cho...@cswnet.com> | http://www.cswnet.com/~choate
Webmaster of the Delphi EXchange | http://www.DelphiEXchange.com
You should have asked that question on the Efnet #delphi IRC channel!
Have a Coke and a :)
David Taillé
In article <55kpkb$6...@reader1.reader.news.ozemail.net>,
pau...@ozemail.com.au says...
> Hi Yall,
>
> I've been attempting to get process information (other processes, not
> mine) but have run into a couple of brick walls. I'm using Delphi, but
> these are just a couple of plain Win32 API questions....
>
> currently doing is using 'OpenProcess' with PID 0,1,2,3 ... etc to see
> what I can find. There's got to be a better way! (Is there?)
>
Hi,
as other folks have said, "performance data" is the way to do it.
> 4. Once I've got the process handle, I can get some info about memory
> usage, times etc - but not the process "name" (executable program).
>
You'll find this on "performance data".
> I have thought about using CreateRemoteThread to get a thread inside
> the process to then extract info - but this sounds far to hairy and
> must be the wrong way.
>
Yes, you'll have to use CreateRemoteThread to "inject code" if you want
information like the current directory of a process (at least on NT
3.5x).
And it *is* hairy! But still unavoidable under some circumstances.
E-mail me if you want a working example.
bye
David (Paris, France)
Sergey Zabaryansky
>> Hi Yall,
>>
>> I've been attempting to get process information (other processes, not
>> mine) but have run into a couple of brick walls. I'm using Delphi, but
>> these are just a couple of plain Win32 API questions....
>>
>> 1. I haven't discovered a way to enumerate processes, so what I'm
>> currently doing is using 'OpenProcess' with PID 0,1,2,3 ... etc to see
>> what I can find. There's got to be a better way! (Is there?)
>>
>
>Hi,
>as other folks have said, "performance data" is the way to do it.
Hi,
what is "performance data" ? And how to get them ?
bye
Sergey Zabaryansky (Kiev,Ukraine)
Joerg Koenig
Sergey Zabaryansky wrote:
>
[...]
> Hi,
> what is "performance data" ? And how to get them ?
HKEY_PERFORMANCE_DATA is the registry key where NT stores
informations about all processes and system activities.
Have a look at the samples 'pviewer' and 'tlist' to see
how to get informations from this key.
Bye
Joerg
--
-------------------------------------------------------------------
e-mail : J.Ko...@adg.de
company: ADG mbH, Mannheim
phone : +49 0621/8505-609
David Taillé
In article <ABwaH...@zssoft.carrier.kiev.ua>,
ro...@zssoft.carrier.kiev.ua says...
> In article <55kpkb$6...@reader1.reader.news.ozemail.net>,
> pau...@ozemail.com.au says...
>
> >> Hi Yall,
> >>
> >> I've been attempting to get process information (other processes, not
> >> mine) but have run into a couple of brick walls. I'm using Delphi, but
> >> these are just a couple of plain Win32 API questions....
> >Hi,
> >as other folks have said, "performance data" is the way to do it.
>
> what is "performance data" ? And how to get them ?
>
Performance data is the set of measurements data that makes it possible
to monitor system activity : memory consumption, processor activity,
process and threads activity, network activity, etc.
The Win 32 SDK covers the whole topic under the overview entitled
"Performance monitoring".
The important thing to understand is that performance monitoring can
bring to you information that help you do more than fine-tune an NT
system ; in fact, it is sometimes the only (legal) way to get
information.
Hope it helps.
ciao.