Jump to content
Sign in to follow this  
cypher175

How to check if a process is running as User or System..?

Recommended Posts

cypher175

Is there any Code/Function to check if a specific process is running under User or System Privileges..??

Share this post


Link to post
Share on other sites
spudw2k

Is there any Code/Function to check if a specific process is running under User or System Privileges..??

You can try a WMI query. I believe the container you are interested in is Win32_Process, and you'll need to call the getuser() getowner() method. This example can be tailored to your needs.

_ProcessRetrieve()

Func _ProcessRetrieve($host = @ComputerName,$usr=0)
    $objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $host & "\root\cimv2")
    If not IsObj($objWMIService) Then Return 0

    $colItems = $objWMIService.ExecQuery ("SELECT * FROM Win32_Process")
    For $objItem in $colItems
        $objItem.GetOwner($usr)
        ConsoleWrite($objItem.Name & ":" & $objItem.ProcessId & @TAB)
        ConsoleWrite($usr & @CRLF)
    Next
    
    Return 1
EndFunc
Edited by spudw2k

Share this post


Link to post
Share on other sites
WideBoyDixon

Alternatively try:

OpenProcessToken

GetTokenInformation

LookupAccountSid

All in Advapi32.dll I think (being lazy and not checking).

WBD

Share this post


Link to post
Share on other sites
cypher175

Alternatively try:

OpenProcessToken

GetTokenInformation

LookupAccountSid

All in Advapi32.dll I think (being lazy and not checking).

WBD

are those Autoit UDF's or something else..?? How would i use those functions that you listed..??

Share this post


Link to post
Share on other sites
FreeFry

using DllCall

Edit:

I took some time to dig in how those functions works, and found that all of the functions needed are actually included as UDF's in autoit:

#include <Security.au3>
#include <Constants.au3>

ConsoleWrite("Process explorer.exe is running under user: " & _ProcessGetOwner("explorer.exe") & @LF)


Func _ProcessGetOwner($ivPID)
    $ivPID = ProcessExists($ivPID)
    If Not $ivPID Then Return(SetError(1, 0, 0))
    Local Const $TOKEN_READ = 0x00020000+0x0008; STANDARD_RIGHTS_READ+TOKEN_QUERY
    Local $hvProcess = _WinAPI_OpenProcess($PROCESS_QUERY_INFORMATION, False, $ivPID, False)
    Local $hvToken = _Security__OpenProcessToken($hvProcess, $TOKEN_READ)
    Local $bvSID = _Security__GetTokenInformation($hvToken, $TOKENOWNER)
    Local $avRet = DllStructCreate("ulong", DllStructGetPtr($bvSID))
    $avRet = _Security__SidToStringSid(DllStructGetData($avRet, 1))
    $avRet = _Security__LookupAccountSid($avRet)
    _WinAPI_CloseHandle($hvProcess)
    _WinAPI_CloseHandle($hvToken)
    If Not IsArray($avRet) Then Return(SetError(1, 0, ""))
    Return(SetError(0, $avRet[2], $avRet[0]))
EndFunc
Edited by FreeFry

Share this post


Link to post
Share on other sites
cypher175

would there be anyway using those same or other functions to check the CPU% Usage of a Specified Process..??

Share this post


Link to post
Share on other sites
rajeshontheweb
cypher175

where is this processlistproperties udf at..?? i cant seem to locate it in the AutoIt Install directory..??

Share this post


Link to post
Share on other sites
rajeshontheweb
Sundance

using DllCall

Edit:

I took some time to dig in how those functions works, and found that all of the functions needed are actually included as UDF's in autoit:

#include <Security.au3>
 #include <Constants.au3>
 
 ConsoleWrite("Process explorer.exe is running under user: " & _ProcessGetOwner("explorer.exe") & @LF)
 
 
 Func _ProcessGetOwner($ivPID)
     $ivPID = ProcessExists($ivPID)
     If Not $ivPID Then Return(SetError(1, 0, 0))
     Local Const $TOKEN_READ = 0x00020000+0x0008; STANDARD_RIGHTS_READ+TOKEN_QUERY
     Local $hvProcess = _WinAPI_OpenProcess($PROCESS_QUERY_INFORMATION, False, $ivPID, False)
     Local $hvToken = _Security__OpenProcessToken($hvProcess, $TOKEN_READ)
     Local $bvSID = _Security__GetTokenInformation($hvToken, $TOKENOWNER)
     Local $avRet = DllStructCreate("ulong", DllStructGetPtr($bvSID))
     $avRet = _Security__SidToStringSid(DllStructGetData($avRet, 1))
     $avRet = _Security__LookupAccountSid($avRet)
     _WinAPI_CloseHandle($hvProcess)
     _WinAPI_CloseHandle($hvToken)
     If Not IsArray($avRet) Then Return(SetError(1, 0, ""))
     Return(SetError(0, $avRet[2], $avRet[0]))
 EndFunc
Hi FreeFry,

what value has $TOKENOWNER? I looked at MSDN. Is it 1?

greetz

Sundance

Share this post


Link to post
Share on other sites
Sundance

Ah, thx !

Lol

After 6 month i had not written down your answer and i can't see your post here .. :-)

What was the value of $Tokenonwner again?

thx

Sundance

Share this post


Link to post
Share on other sites
jvanegmond

Lol

After 6 month i had not written down your answer and i can't see your post here .. :-)

What was the value of $Tokenonwner again?

thx

Sundance

Hello,

the value is known to the AutoIt script, so it must be defined somewhere. Probably in the includes, because it's not in the main script.

With this information, we go to: C:\Program Files\AutoIt3\Include\SecurityConstants.au3 (it was not in Security.au3)

We find this value:

Global Const $TOKENOWNER = 4

Your answer is 4. You could have seen it all by yourself, very easily.

Share this post


Link to post
Share on other sites
Sundance

Hello,

the value is known to the AutoIt script, so it must be defined somewhere. Probably in the includes, because it's not in the main script.

With this information, we go to: C:\Program Files\AutoIt3\Include\SecurityConstants.au3 (it was not in Security.au3)

We find this value:

Global Const $TOKENOWNER = 4

Your answer is 4. You could have seen it all by yourself, very easily.

Thx Manadar,

i looked at the Security.au3 and wondered where it could be defined. You are right, i should have been iritated why AutoIt knows about $TokenOwner....

Thx for your quick reply

Sundance

Edited by Sundance

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.