ProcessGetOwner approach - issues

[Ascend4nt]

*EDIT: The updated _ProcessGetOwner() is now a part of my Process Functions UDFs, click the link for it.

----------------------------------------------------------------------------------------

Hi all,

I've coded the below _ProcessGetOwner() function and, while it seems to work on XP, I've experienced failure on like 5% of processes in Vista+ - with seemingly random names (or none at all) being returned for some Processes.

If anyone has any idea if the below code could be tweaked somehow, or if there's another alternative (tried OpenProcessToken and GetKernelObjectSecurity, both failed) please let me know.

The _GetPrivilege_SeDebug is Manko's code from here -> Get SeDebug privilege. The rest is mine, part of a bigger Process functions module I've worked on.

Please, anyone who knows what the heck I'm doing right/wrong, let me know

Thanks,

Ascend4nt

Edited June 4, 2010 by Ascend4nt

[Ascend4nt]

This is interesting.. it appears that Task Manger, even when set to 'Show All Processes from All Users' on Vista and Win 7 actually doesn't list a few processes - namely extra instances of 'dllhost.exe' and 'WmiPrvSE.exe'.. those are the ones bringing up blank owners.

Also, for a few processes, the Owner is coming back as 'None' when it should be the current user name. Only a few processes though!

'Audiodg.exe' is one I can't understand, as it is listed in Task Manager, but comes up blank. grr.. what am I missing

[Manko]

Audiodg.exe is protected application. (There's a bit in the eprocess structure, signaling that...) It should give you some restrictions...

/Manko

[Ascend4nt]

Dang, you are absolutely right - I forgot to check to see if I was actually getting the handle, which I'm not in the cases I listed above. No wonder! Hmm.. is there any workaround that you know of?

I added a check in my code for 'None', which simply changes it to @UserName.. that solves that part of the problem.

However.. how I would get a process handle for those 'protected processes' is the question. I suppose it's not possible if SE_DEBUG access doesn't work eh?

Oh, I've noticed WTS enumeration code works fine on non x86 O/S's for reporting on all Processes (even the hidden dllhost.exe ones).. however on x64 O/S it misses 2-4 processes. I'm not sure why this is. ProcessList reports the correct #, but WTS enumeration, run in both 32-bit and 64-bit mode still misses those processes.

*edit: Hmm, Audiodg.exe always is listed as 'LOCAL SERVICE' on the O/S's I tried it on, but I'm assuming there's the possibility of more protected processes, so checking for this one specifically probably isn't a good idea..

Some searching brought up 'D-Pin Purr' but this is a hack (and a 32-bit one at that). Okay.. enough research for one morning..

Edited April 16, 2010 by Ascend4nt