Process Information - Win32 API

Process Information & Management

This section delves into the core structures and functions within the Win32 API that facilitate the creation, management, and querying of processes on Windows operating systems. Understanding these elements is fundamental for developing robust and efficient applications that interact with the Windows kernel.

Key Structures

`PROCESS_BASIC_INFORMATION`

The PROCESS_BASIC_INFORMATION structure is used to retrieve basic information about a process. This structure is often obtained via the NtQueryInformationProcess API.

typedef struct _PROCESS_BASIC_INFORMATION {
    NTSTATUS ExitStatus;
    PVOID    PebBaseAddress;
    ULONG_PTR AffinityMask;
    KPRIORITY BasePriority;
    ULONG_PTR UniqueProcessId;
    ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;

Members:

ExitStatus: The exit status of the process.
PebBaseAddress: A pointer to the Process Environment Block (PEB).
AffinityMask: A bitmask representing the processor affinity of the process.
BasePriority: The base priority class of the process.
UniqueProcessId: The unique identifier of the process.
InheritedFromUniqueProcessId: The process identifier of the parent process.

`PROCESS_CPU_COUNTERS`

This structure is used with NtQueryInformationProcess to get CPU usage statistics.

typedef struct _PROCESS_CPU_COUNTERS {
    ULONG_PTR PeakCycleTime;
    ULONG_PTR CycleTime;
    ULONG_PTR Reserved1;
    ULONG_PTR Reserved2;
} PROCESS_CPU_COUNTERS;

Core Process Functions

`CreateProcess`

Creates a new process and its primary thread. The new process runs in the same address space of the calling process or in a separate address space, depending on the dwCreationFlags parameter.

Signature:

BOOL CreateProcess(
    LPCTSTR               lpApplicationName,
    LPTSTR                lpCommandLine,
    LPSECURITY_ATTRIBUTES lpProcessAttributes,
    LPSECURITY_ATTRIBUTES lpThreadAttributes,
    BOOL                  bInheritHandles,
    DWORD                 dwCreationFlags,
    LPVOID                lpEnvironment,
    LPCTSTR               lpCurrentDirectory,
    LPSTARTUPINFO         lpStartupInfo,
    LPPROCESS_INFORMATION lpProcessInformation
);

Key Parameters:

Parameter	Description
`lpCommandLine`	The command line string for the new process.
`dwCreationFlags`	Flags that control the priority class and behavior of the new process (e.g., `CREATE_NEW_CONSOLE`, `DETACHED_PROCESS`).
`lpStartupInfo`	A pointer to a `STARTUPINFO` structure that specifies how the new process should be started.
`lpProcessInformation`	A pointer to a `PROCESS_INFORMATION` structure that receives identification information about the new process.

Return Value: Nonzero if the function succeeds, zero otherwise.

`TerminateProcess`

Stops a process and all of its threads. The calling process must have the appropriate access to the target process.

Signature:

BOOL TerminateProcess(
    HANDLE hProcess,
    UINT   uExitCode
);

Parameters:

hProcess: A handle to the process to be terminated.
uExitCode: The exit code for the terminated process.

Return Value: Nonzero if the function succeeds, zero otherwise.

`GetCurrentProcessId`

Retrieves the identifier of the current process. This ID is unique among all processes currently running on the system.

Signature:

DWORD GetCurrentProcessId(void);

Return Value: The return value is the process identifier of the current process.

`GetProcessId`

Retrieves the process identifier of the specified process. This ID can be used to refer to the process in subsequent calls to various system functions.

Signature:

DWORD GetProcessId(
    HANDLE ProcessHandle
);

Parameters:

ProcessHandle: A handle to the process.

Return Value: The return value is the process identifier of the specified process.

`NtQueryInformationProcess` (Native API)

Retrieves a variety of information about a specified process. This is a lower-level function often used for introspection and advanced debugging.

Signature (simplified):

NTSTATUS NtQueryInformationProcess(
    HANDLE                   ProcessHandle,
    PROCESSINFOCLASS         ProcessInformationClass,
    PVOID                    ProcessInformation,
    ULONG                    ProcessInformationLength,
    PULONG                   ReturnLength
);

Key Parameters:

Parameter	Description
`ProcessHandle`	A handle to the process.
`ProcessInformationClass`	A value of the `PROCESSINFOCLASS` enumeration that specifies the type of information to retrieve.
`ProcessInformation`	A pointer to a buffer that receives the information requested. The type of data in this buffer depends on the value of `ProcessInformationClass`.

Commonly used with ProcessInformationClass values such as ProcessBasicInformation (to get PROCESS_BASIC_INFORMATION) or ProcessCpuCounters.

Related Concepts

Thread Management: Understanding how threads operate within a process.
Process Handles: How to obtain and use handles to interact with processes.
Memory Management: How processes manage their address space.
Process Security: Access rights required for various process operations.

Process Information & Management

PROCESS_BASIC_INFORMATION

PROCESS_CPU_COUNTERS

CreateProcess

TerminateProcess

GetCurrentProcessId

GetProcessId

NtQueryInformationProcess (Native API)

`PROCESS_BASIC_INFORMATION`

`PROCESS_CPU_COUNTERS`

`CreateProcess`

`TerminateProcess`

`GetCurrentProcessId`

`GetProcessId`

`NtQueryInformationProcess` (Native API)