Jump to content

DllCall for WTSEnumerateProcessesEx

kanishk619
 Share

Recommended Posts

kanishk619 Seeker

kanishk619

Posted
Posted

I'm trying to get the process list through wtsapi with the help of the following 

#AutoIt3Wrapper_UseX64=N
#include <Array.au3>

$WTS_PROCESS_INFO_EXW = _
    "DWORD SessionId;" & _
    "DWORD ProcessId;" & _
    "CHAR pProcessName[256];" & _
    "INT pUserSid;" & _
    "DWORD NumberOfThreads;" & _
    "DWORD HandleCount;" & _
    "DWORD PagefileUsage;" & _
    "DWORD PeakPagefileUsage;" & _
    "DWORD WorkingSetSize;" & _
    "DWORD PeakWorkingSetSize;" & _
    "INT64 UserTime;" & _
    "INT64 KernelTime;"

Const $WTS_CURRENT_SERVER_HANDLE = 0
$level = 1
Const $WTS_ANY_SESSION = 0

$ret = DllCall("wtsapi32.dll","int","WTSEnumerateProcessesEx", _
            "hwnd",$WTS_CURRENT_SERVER_HANDLE, _
            "dword*",$level, _
            "dword",$WTS_ANY_SESSION, _
            "ptr*",DllStructGetPtr(DllStructCreate($WTS_PROCESS_INFO_EXW)), _
            "dword*",0)

_ArrayDisplay($ret)

I'm not sure whether m doing it correctly or not, if its correct then how to access the returned data?Insert other media

kanishk619 Seeker

kanishk619

Posted
  • Author
Posted

I had a look on "WTS_PROCESS_INFO_EXW" and DllStructCreate again and few examples circulating around this forum which helped me.  

#include <Array.au3>
#include <security.au3>

$WTS_PROCESS_INFO_EXW = _
        "DWORD SessionId;" & _
        "DWORD ProcessId;" & _
        "PTR pProcessName;" & _
        "PTR pUserSid;" & _
        "DWORD NumberOfThreads;" & _
        "DWORD HandleCount;" & _
        "DWORD PagefileUsage;" & _
        "DWORD PeakPagefileUsage;" & _
        "DWORD WorkingSetSize;" & _
        "DWORD PeakWorkingSetSize;" & _
        "INT64 UserTime;" & _
        "INT64 KernelTime;"

Const $WTS_CURRENT_SERVER_HANDLE = 0
$level = 1
Const $WTS_ANY_SESSION = -2

$ret = DllCall("wtsapi32.dll", "int", "WTSEnumerateProcessesEx", _
        "hwnd", $WTS_CURRENT_SERVER_HANDLE, _
        "dword*", $level, _
        "dword", $WTS_ANY_SESSION, _
        "ptr*", 0, _
        "dword*", 0)

Local $array[$ret[5]][5]
$mem = DllStructCreate($WTS_PROCESS_INFO_EXW, $ret[4])

For $i = 0 To $ret[5] - 1
    $mem = DllStructCreate($WTS_PROCESS_INFO_EXW, $ret[4] + ($i * DllStructGetSize($mem)))
    $processname = DllStructCreate("char[256]", DllStructGetData($mem, "pProcessName"))
    $array[$i][0] = DllStructGetData($processname, 1)
    $array[$i][1] = DllStructGetData($mem, "ProcessId")
    $array[$i][2] = DllStructGetData($mem, "SessionId")
    $sidToUserName = _Security__LookupAccountSid(DllStructGetData($mem, "pUserSid"))
    $sidToString = _Security__SidToStringSid(DllStructGetData($mem, "pUserSid"))
    If IsArray($sidToUserName) Then $array[$i][3]=$sidToUserName[0]
    If $sidToString Then $array[$i][4]=$sidToString
Next

_ArrayDisplay($array)

Thanks to amazing devs and people around here :)

kanishk619 Seeker

kanishk619

Posted
  • Author
Posted (edited)

A quick fix for partial process names (unicode process names appears perfectly fine) 

#include <Array.au3>
#include <security.au3>

$WTS_PROCESS_INFO_EXW = _
        "DWORD SessionId;" & _
        "DWORD ProcessId;" & _
        "PTR pProcessName;" & _
        "PTR pUserSid;" & _
        "DWORD NumberOfThreads;" & _
        "DWORD HandleCount;" & _
        "DWORD PagefileUsage;" & _
        "DWORD PeakPagefileUsage;" & _
        "DWORD WorkingSetSize;" & _
        "DWORD PeakWorkingSetSize;" & _
        "INT64 UserTime;" & _
        "INT64 KernelTime;"

Const $WTS_CURRENT_SERVER_HANDLE = 0
$level = 1
Const $WTS_ANY_SESSION = -2

$ret = DllCall("wtsapi32.dll", "int", "WTSEnumerateProcessesExW", _
        "hwnd", $WTS_CURRENT_SERVER_HANDLE, _
        "dword*", $level, _
        "dword", $WTS_ANY_SESSION, _
        "ptr*", 0, _
        "dword*", 0)

Local $array[$ret[5]][6]
$mem = DllStructCreate($WTS_PROCESS_INFO_EXW, $ret[4])

For $i = 0 To $ret[5] - 1
    $mem=DllStructCreate($WTS_PROCESS_INFO_EXW, $ret[4]+($i*DllStructGetSize($mem)))
    $processName=DllStructCreate("wchar[256]", DllStructGetData($mem, "pProcessName"))
    $array[$i][0]=DllStructGetData($processName,1)
    $array[$i][1]=DllStructGetData($mem, "ProcessId")
    $array[$i][2]=DllStructGetData($mem, "SessionId")
    $userSid = _Security__LookupAccountSid(DllStructGetData($mem, "pUserSid"))
    $strSid = _Security__SidToStringSid(DllStructGetData($mem, "pUserSid"))
    If IsArray($userSid) Then $array[$i][3] = $userSid[0]
    If $strSid Then $array[$i][4] = $strSid
    $array[$i][5]=DllStructGetData($mem, "NumberOfThreads")
Next

_ArrayDisplay($array)

Can someone help me out in understanding why unicode returned names are showing completely and properly whereas ANSI process names are of varying partial length with the below snippet

  

#include <Array.au3>
#include <security.au3>

$WTS_PROCESS_INFO_EXA = _
        "DWORD SessionId;" & _
        "DWORD ProcessId;" & _
        "PTR pProcessName;" & _
        "PTR pUserSid;" & _
        "DWORD NumberOfThreads;" & _
        "DWORD HandleCount;" & _
        "DWORD PagefileUsage;" & _
        "DWORD PeakPagefileUsage;" & _
        "DWORD WorkingSetSize;" & _
        "DWORD PeakWorkingSetSize;" & _
        "INT64 UserTime;" & _
        "INT64 KernelTime;"

Const $WTS_CURRENT_SERVER_HANDLE = 0
$level = 1
Const $WTS_ANY_SESSION = -2

$ret = DllCall("wtsapi32.dll", "int", "WTSEnumerateProcessesEx", _
        "hwnd", $WTS_CURRENT_SERVER_HANDLE, _
        "dword*", $level, _
        "dword", $WTS_ANY_SESSION, _
        "ptr*", 0, _
        "dword*", 0)

Local $array[$ret[5]][6]
$mem = DllStructCreate($WTS_PROCESS_INFO_EXA, $ret[4])

For $i = 0 To $ret[5] - 1
    $mem=DllStructCreate($WTS_PROCESS_INFO_EXA, $ret[4]+($i*DllStructGetSize($mem)))
    $processName=DllStructCreate("char[256]", DllStructGetData($mem, "pProcessName"))
    $array[$i][0]=DllStructGetData($processName,1)
    $array[$i][1]=DllStructGetData($mem, "ProcessId")
    $array[$i][2]=DllStructGetData($mem, "SessionId")
    $userSid = _Security__LookupAccountSid(DllStructGetData($mem, "pUserSid"))
    $strSid = _Security__SidToStringSid(DllStructGetData($mem, "pUserSid"))
    If IsArray($userSid) Then $array[$i][3] = $userSid[0]
    If $strSid Then $array[$i][4] = $strSid
    $array[$i][5]=DllStructGetData($mem, "NumberOfThreads")
Next

_ArrayDisplay($array)

 

Edited by kanishk619

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...