Jump to content

Recommended Posts

Posted

I wana know if there is any way to retrieve the parent PID. I have a way of getting the hwnd but that usually comes back 0x000000, even when I tried running it from Ollydbg or the sort. I have been messing around with API for a little while but I still can't find a way to get the PPID without using hwnd.

  • Moderators
Posted

You could use the API GetProcessTimes and compare from there.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

  • Moderators
Posted

I just tried it but I can't get it to work. Can you give me a code sample?

Unfortunately, I've never played with it, and I'm too tired personally to wrap my head around it... But it seems that is the route you should take.

What do you have so far that isn't working that you've tried?... Maybe it just needs tweaking.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Posted

Unfortunately, I've never played with it, and I'm too tired personally to wrap my head around it... But it seems that is the route you should take.

What do you have so far that isn't working that you've tried?... Maybe it just needs tweaking.

It's not so much that it isn't working as it is I don't know how to set it up to get what I want it to do. MSDN didn't help me at all, and neither did my API helpfile, so I'm lost.

Posted

It's not so much that it isn't working as it is I don't know how to set it up to get what I want it to do. MSDN didn't help me at all, and neither did my API helpfile, so I'm lost.

WMI can give you that information.

$wbemFlagReturnImmediately = 0x10
$wbemFlagForwardOnly = 0x20

$strComputer = "."
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")
$colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_Process", "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)
;$colItems = $objWMIService.ExecQuery("Select * from Win32_Process",,48)

$output = ""

For $objItem in $colItems
$Output = $Output & "Name: " & $objItem.Name & @CRLF
$Output = $Output & "ParentProcessId: " & $objItem.ParentProcessId & @CRLF
$Output = $Output & "ProcessId: " & $objItem.ProcessId & @CRLF
Next

clipPut($output)

Cheers

Kurt

__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Posted

Thx I'll try it out

O.K. You could start with @AutoItPID, then retrieve the PID and Paren PID of all process and compare the PID to @AutoItPID ==> Parent PID is then known.

Cheers

Kurt

__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...