Sign in to follow this  
Followers 0
Ascend4nt

_WinAPI_ProcessGetCreateTime

12 posts in this topic

#1 ·  Posted (edited)

..

Edited by Ascend4nt

Share this post


Link to post
Share on other sites



Awesome :P, was already trying to build a taskmanager replacement/supplement in the past, but never found good ways around the (slooooow) WMI calls. For sure will monitor your future posts regarding dllcalls :unsure:...

Cheers

Share this post


Link to post
Share on other sites

Yet another call that defeats the need for WMI process info calls. Only 2 functions remain to be able to completely match PsaltyDS's _ProcessListProperties() collection function, 'CPU usage' and 'Process Owner' (which isn't the same as Parent Process, but rather 'user' owner? - actually I'm still not 100% sure what it means *shrug*)

Great work!

You already got CPU usage in that function. :P

You just add kerneltime and usertime for process, and divide by SUM for ALL processes, times 100.

About processOWNER: You get most, but not always all, with the 2 funcs I use in my ModuleHelper, in sig... I should continue looking...

Besides... Take a look at my "ThreadsnProcesses" Func, it has much of what one needs. Don't get fooled by the example. Look at the structs! It can do much more than my little example shows... My misstake, not fully expanding. It's seems one can't expect people to read through source...

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Manko,

You know, I've just been reading some things related to 'GetProcessTimes' and 'GetSystemTimes', and I'm still in the process of figuring out how it all works - I know just by early quick experimentation that Kernel Time and UserTime were giving me 0 results for some processes, so I sorta ignored it at the time. But I guess I'll have to revisit that.

And regarding your source - where's the comments! haha... actually, I've had your 'GetCommandLineFromPID()' in mind as one of the process information sources (good job btw).. and although you and others have some solutions to getting process paths, I found that my way (in sig.) was the only x64 compatible one..

It'd be really cool to complete a _ProcessListProperties() function. Right now, the basic sources I'd use for the same returns as PsaltyDS's function are:

[0] ProcessList() for Process Name ; (alternatively: _WinAPI_ProcessGetFilename() - Ascend4nt)

[1] ProcessList() also for Process ID ; (alternatively: ProcessExists())

[2] _ProcessGetParent() for Parent PID (by SmOke_N)

[3] (?) Process Owner - I guess that's where your code might come in =)

[4] _ProcessGetPriority() for Priority - standard UDF by Matthew Tucker

[5] _WinAPI_ProcessGetPathname() - for Pathname to Process - Ascend4nt

[6] (?) Process CPU Usage - I'll have to try and figure that one out (maybe it's easier than it looks from examples)

[7] ProcessGetStats() for memory usage

[8] _WinAPI_ProcessGetCreateTime() - me

[9] _GetCommandLineFromPID() by Manko (& Wraithdu?)

Okay, I'll have to sleep on this stuff.. take it easy

Ascend4nt

Share this post


Link to post
Share on other sites

One down... ProcessListOWNER_WTS() - No WMI. Get Process owner list...

Your turn! :P (Maybe your 0 returns are because of privileges?)

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

You know, I've just been reading some things related to 'GetProcessTimes' and 'GetSystemTimes', and I'm still in the process of figuring out how it all works - I know just by early quick experimentation that Kernel Time and UserTime were giving me 0 results for some processes, so I sorta ignored it at the time. But I guess I'll have to revisit that.

Try to use just 0x400 instead of BitOR(0x400,0x10) in _WinAPI_ProcessGetCreateTime There is no need for the rights to use ReadProcessMemory in this funcion.

*GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes

Share this post


Link to post
Share on other sites

I get some start times with value "16010101010000" although Process Explorer shows me a date/time!

E.g.: process WmiPrvSE.exe

Tested on Vista x32 using AutoIt v3.3.0.0

UEZ


Please don't send me any personal message and ask for support! I will not reply!

Selection of finest graphical examples at Codepen.io

The own fart smells best!
Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!
¯\_(ツ)_/¯  ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ

Share this post


Link to post
Share on other sites

I forgot to mention that I merged both scripts (_WinAPI_ProcessGetCreateTime and _ProcessListOWNER_WTS()) to one and formatted the time format output:

;http://www.autoitscript.com/forum/index.php?showtopic=90572
#include <array.au3>    ; Needed to display array in example.
#include <security.au3> ; Get OWNER from SID.

$tag_WTS_PROCESS_INFO = _
        "DWORD SessionId;" & _
        "DWORD ProcessId;" & _
        "PTR pProcessName;" & _
        "PTR pUserSid"

; ############ Example code #######################
$temp = _ProcessListOWNER_WTS()
$temp[0][0] = "Process"
$temp[0][1] = "ProcessId"
$temp[0][2] = "SessionId"
$temp[0][3] = "ProcessOWNER"
$temp[0][4] = "ProcessCreateTime"
_ArrayDisplay($temp, "Process list with OWNER...")
; ###############################################


; ############ Here be func! ####################
Func _ProcessListOWNER_WTS()
    $t = TimerInit()
    $ret = DllCall("WTSApi32.dll", "int", "WTSEnumerateProcesses", "int", 0, "int", 0, "int", 1, "ptr*", 0, "int*", 0)
    Local $array[$ret[5]][5]
    $mem = DllStructCreate($tag_WTS_PROCESS_INFO, $ret[4])
    For $i = 0 To $ret[5] - 1
        $mem = DllStructCreate($tag_WTS_PROCESS_INFO, $ret[4] + ($i * 16))
        ;if DllStructGetData($mem, "pProcessName") Then
        $string = DllStructCreate("char[256]", DllStructGetData($mem, "pProcessName"))
        $array[$i][0] = DllStructGetData($string, 1)
        ;EndIf
        $array[$i][1] = DllStructGetData($mem, "ProcessId")
        $array[$i][2] = DllStructGetData($mem, "SessionId")
        ;if DllStructGetData($mem, "pUserSid") Then
        $ret1 = _Security__LookupAccountSid(DllStructGetData($mem, "pUserSid"))
        If IsArray($ret1) Then $array[$i][3] = $ret1[0]
        ;EndIf
        $array[$i][4] = _WinAPI_ProcessGetCreateTime($array[$i][1])
    Next
    DllCall("WTSApi32.dll", "int", "WTSFreeMemory", "int", $ret[4])
    Return $array
EndFunc   ;==>_ProcessListOWNER_WTS
;################################ END FUNC ##########################################


;http://www.autoitscript.com/forum/index.php?showtopic=90552
; ===============================================================================================
; Func _WinAPI_ProcessGetCreateTime($vProcess)
;
; Function to get the Process Creation Time
;
; $vProcess = Process ID or Process Name
;
; Returns:
;   Success: Creation Time in the form YYYYMMDDHHSS
;   Failure: Empty string, and @error set to 2 if DLLCall failure
;
; Author: Ascend4nt
; ===============================================================================================

Func _WinAPI_ProcessGetCreateTime($vProcess)
    Local $time
    If Not IsNumber($vProcess) Then
        $vProcess = ProcessExists($vProcess)
        If Not $vProcess Then Return SetError(1, 0, "")
    EndIf
    Local $stCreateTime, $stExitTime, $stKernelTime, $stUserTime
    ; Open Process handle ( BitOr(PROCESS_QUERY_INFORMATION 0x400,PROCESS_VM_READ 0x10)) @http://msdn.microsoft.com/en-us/library/ms684880(VS.85).aspx
;~     Local $hProcess = DllCall('kernel32.dll','ptr', 'OpenProcess','int', BitOR(0x400,0x10),'int', 0,'int', $vProcess)
    Local $hProcess = DllCall('kernel32.dll', 'ptr', 'OpenProcess', 'int', 0x400, 'int', 0, 'int', $vProcess)
    If @error Or Not IsArray($hProcess) Then Return SetError(2, 0, "")
    $stCreateTime = DllStructCreate("dword[2]")
    $stExitTime = DllStructCreate("dword[2]")
    $stKernelTime = DllStructCreate("dword[2]")
    $stUserTime = DllStructCreate("dword[2]")
    Local $aRet = DllCall("kernel32.dll", "int", "GetProcessTimes", "ptr", $hProcess[0], "ptr", DllStructGetPtr($stCreateTime), _
            "ptr", DllStructGetPtr($stExitTime), "ptr", DllStructGetPtr($stKernelTime), "ptr", DllStructGetPtr($stUserTime))
    ; Close the process handle
    DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $hProcess[0])
    If Not IsArray($aRet) Then Return SetError(2, 0, "")
    $time = _WinAPI_FileTimeConvert(DllStructGetData($stCreateTime, 1, 1), DllStructGetData($stCreateTime, 1, 2))
;~     ConsoleWrite($time & @CRLF)
    $time = StringLeft($time, 4) & "/" & StringMid($time, 5, 2) & "/" & StringMid($time, 7, 2) & " " & StringMid($time, 9, 2) & ":" & StringMid($time, 11, 2) & ":" & StringMid($time, 13, 2)
    Return $time
EndFunc   ;==>_WinAPI_ProcessGetCreateTime

; ===============================================================================================
; Func _WinAPI_FileTimeConvert($iFileDateTimeLo,$iFileDateTimeHi,$DLL=-1)
;
; Function to Convert Date-Time double-dword values stored in Windows FILETIME structures
;   NOTE: It *has* to be passed as two dwords, otherwise there are issues with 64-bit parameters.
;
; NOTE: When used with _WinAPI_FileFind.. functions, the *PREFERRED* METHOD of calling this is:
;   _WinAPI_FileFindTimeConvert()
;
; $iFileDateTimeLo = Lo word of date/time info returned in a the FILETIME structure
; $iFileDateTimeHi = Hi word of date/time info returned in a FILETIME structure.
; $DLL = DLL handle or -1
;
; Return:
;   Success: formatted string : YYYYMMDDHHMMSS (24-hour clock)
;   Failure: empty string, with @error=2 (DLL call fail)
;
; Author: Ascend4nt
; ===============================================================================================

Func _WinAPI_FileTimeConvert($iFileDateTimeLo, $iFileDateTimeHi, $DLL = -1)
    Local $sDateTimeStr, $stLocalFileTime, $stFileTime, $stSystemTime, $aRet
    ; FILETIME structures [DateTimeLo,DateTimeHi]
    $stLocalFileTime = DllStructCreate("dword[2]")
    $stFileTime = DllStructCreate("dword[2]")
    ; SYSTEMTIME structure [Year,Month,DayOfWeek,Day,Hour,Min,Sec,Milliseconds]
    $stSystemTime = DllStructCreate("ushort;ushort;ushort;ushort;ushort;ushort;ushort;ushort")

    If $DLL == -1 Then $DLL = "Kernel32.dll"
    ; Set the appropriate data members of the FileTime structure
    DllStructSetData($stFileTime, 1, $iFileDateTimeLo, 1)
    DllStructSetData($stFileTime, 1, $iFileDateTimeHi, 2)

    ; First convert file time (UTC-based file time) to 'local file time'
    $aRet = DllCall($DLL, "int", "FileTimeToLocalFileTime", "ptr", DllStructGetPtr($stFileTime), "ptr", DllStructGetPtr($stLocalFileTime))
    If @error Or Not IsArray($aRet) Or Not $aRet[0] Then Return SetError(2, 0, "")

    ; Then convert file time to a system time structure
    $aRet = DllCall($DLL, "int", "FileTimeToSystemTime", "ptr", DllStructGetPtr($stLocalFileTime), "ptr", DllStructGetPtr($stSystemTime))
    If @error Or Not IsArray($aRet) Or Not $aRet[0] Then Return SetError(2, 0, "")

    ; Now format it and return it in a string. Format: YYYYMMDDHHSSMM
    $sDateTimeStr = DllStructGetData($stSystemTime, 1) & StringRight('0' & DllStructGetData($stSystemTime, 2), 2) & _
            StringRight('0' & DllStructGetData($stSystemTime, 4), 2) & _
            StringRight('0' & DllStructGetData($stSystemTime, 5), 2) & StringRight('0' & DllStructGetData($stSystemTime, 6), 2) & _
            StringRight('0' & DllStructGetData($stSystemTime, 7), 2)

    ; DLLStructDelete()'s
    $stSystemTime = 0
    $stFileTime = 0
    $stLocalFileTime = 0

    Return $sDateTimeStr
EndFunc   ;==>_WinAPI_FileTimeConvert

Here I can see "16010101010000" values!

UEZ


Please don't send me any personal message and ask for support! I will not reply!

Selection of finest graphical examples at Codepen.io

The own fart smells best!
Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!
¯\_(ツ)_/¯  ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ

Share this post


Link to post
Share on other sites

Here I can see "16010101010000" values!

UEZ


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Confirmed :P

UEZ :unsure:


Please don't send me any personal message and ask for support! I will not reply!

Selection of finest graphical examples at Codepen.io

The own fart smells best!
Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!
¯\_(ツ)_/¯  ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

Try to use just 0x400 instead of BitOR(0x400,0x10) in _WinAPI_ProcessGetCreateTime There is no need for the rights to use ReadProcessMemory in this funcion.

Prog@ndy, thx for the tip. I'm not always sure what rights to use all the time.

I get some start times with value "16010101010000" although Process Explorer shows me a date/time!

E.g.: process WmiPrvSE.exe

Tested on Vista x32 using AutoIt v3.3.0.0

UEZ

UEZ, that's odd - I've just tried it with and without Admin+elevated privileges on Vista Ultimate x32 and it gave me the proper time for WmiPrvSE. Hmm.. I haven't tried it specifically with v. 3.3 though.. I'll have to give that a go.

One down... ProcessListOWNER_WTS() - No WMI. Get Process owner list...

Your turn! tongue.gif (Maybe your 0 returns are because of privileges?)

/Manko

Manko, nice job! Kudos =)

But don't expect this CPU usage measurer to come out too soon hehe.. I'd rather not have to get *all* processes to find out the usage for 1 process.. there must be a simpler way no? I'll need to mess around with things to see what I can come up with

Oh, and interesting idea in this thread using a 'double' value to save/pass the time information - I wouldn't have thought of that. Didn't even know it was 64-bits.

http://www.autoitscript.com/forum/index.ph...st&p=651357

Thx all!

*edit - oops referenced wrong thread at first

Edited by ascendant

Share this post


Link to post
Share on other sites

Manko, nice job! Kudos =)

But don't expect this CPU usage measurer to come out too soon hehe.. I'd rather not have to get *all* processes to find out the usage for 1 process.. there must be a simpler way no? I'll need to mess around with things to see what I can come up with

Thanks!

Well, internally, windows works with linked lists of all kinds, and exports functions that goes through lists and delivers wanted instances...

When that doesn't work, (functions don't exist or there are limitations) we have to go through lists ourselves, but that would be MUCH faster in C++ or straight assembler... Either we make dlls or authors of Autoit could code them... OR, we live with speedissues...

But when functions already exists and can be made to deliver, that is certainly a relief.

Hope you make it!! :P

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0