Get process handle to any running process in Windows operating system

Introduction

Hi everybody,

I just got a report that my application push many errors when trying monitor process in windows operating system. So I have to find solution to fix that. I found something can help you if you have to get information, which will help you monitor system or forensic, or do something else like create, suspend, or kill all processes in Windows operating system.

This action forced you must open process handle. But, most of the times we have got many errors when trying to open process handle in the system. So how we can solve this problem? We will find the way to do that in this post.

How we get process handle from all processes?

Firstly, we try to open processes handle with PROCESS_ALL_ACCESS access right to get information about process commandline. Because if we want to get more information about process commandline, we must have PROCESS_VM_READ access right. One you have done it, you will see something like this:

As you can see, we have got many errors “Access is denied” showed although I run as administrator. Why we have got these errors? Because we don’t have enough access rights to open protected process in windows. So what is the Protected Process?

By MSDN, “Windows Vista introduces protected processes to enhance support for Digital Rights Management. The system restricts access to protected processes and the threads of protected processes.

The following standard access rights are not allowed from a process to a protected process:

DELETE

READ_CONTROL

WRITE_DAC

WRITE_OWNER

The following specific access rights are not allowed from a process to a protected process:

PROCESS_ALL_ACCESS

PROCESS_CREATE_PROCESS

PROCESS_CREATE_THREAD

PROCESS_DUP_HANDLE

PROCESS_QUERY_INFORMATION

PROCESS_SET_INFORMATION

PROCESS_SET_QUOTA

PROCESS_VM_OPERATION

PROCESS_VM_READ

PROCESS_VM_WRITE

The PROCESS_QUERY_LIMITED_INFORMATION right was introduced to provide access to a subset of the information available through PROCESS_QUERY_INFORMATION.”

Follow that, Protected process is the system process they didn’t want we impact that process. we just have PROCESS_QUERY_LIMITED_INFORMATION access rights, for anything else, we don’t have access rights. With this access right, we just can collect some basic data from Protected Process. So, if we want to get more data or actions for Protected Process, how can we do that?

We have found more in that document of msdn and found something: “To open a handle to another local process and obtain full access rights, you must enable the SeDebugPrivilege privilege”. So we have to enable debug privilege to get more full access rights. And this is the result:

But like you see, most processes that we want to get, that were done, but we still get errors “Access is denied” if specified process is some of system processes after we enabled debug privilege. Continue finding something else in msdn’s document. I found that: “If the specified process is the Idle process or one of the CSRSS processes, this function fails and the last error code is ERROR_ACCESS_DENIED because their access restrictions prevent user-level code from opening them.” So we cannot open process handle about all processes in user-level code, but they didn’t say we can not do that in kernel-level code. So, I try to find the way to get process handle from PID I sent to kernel driver.

- First, I’m using IOCTL to send PID of process that I want to get information to send to driver.

- Driver will get process handle, and send it back to user mode application

- User mode application using it to get information about process and close handle process.

Here is my result after doing that:

Yeahhh, here we go, we got information about all processes except System process, but it is good enough to me. If you know any other ways to get handle system process, just tell me. I will be really pleased to hear that.

Summary, now we can do anything and get more information about most processes without problems. If you have any problem when doing that, just contacting me. It would be my enormous pleasure to support you.

Referrence:

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess

https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights

https://docs.microsoft.com/en-us/samples/microsoft/windows-driver-samples/ioctl/

https://docs.microsoft.com/en-us/windows/win32/toolhelp/taking-a-snapshot-and-viewing-processes

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store