find real parent process (Creator process)

in my project i wanna get parent process and creator process
i get parent process id in PS_CREATE_NOTIFY_INFO structure
but how can i get real creator process id?
thank you

Real as in…?

What is the problem that you are trying to find a solution for?

for example
when we run app with createprocessAsUser (for elevated access)
os first launches “consent.exe” .then “consent.exe” runs “app1.exe”. but in EProcess parent pid is explorer.exe pid
my issue is how can i distinguish parent pid from creator pid

Query information about the parent process until it’s null ?
Query the process in a loop using ZwQuerySystemInformation and get the parent process id using the ->InheritedFromUniqueProcessId field, until it’s zero.

1 Like

I might be wrong here, not certain.

Does the field CreatingThreadId in that structure not contain the original process id?

If not, then try what ThatsBerkan said.

I would really try to stay with what you can glean from the API’s (like ZwQuerySystemInformation) and not try to dig into internal structures like EPROCESS and ETHREAD which change like some people change socks …

1 Like

That is not an internal structure, Craig, that I was talking about. It is documented right here on MSDN:

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_ps_create_notify_info

Ah, got it, thx for clearing that up! The OP had specifically mentioned using the (internal) EPROCESS structure in post #5, the (public) PS_CREATE_NOTIFY_INFO to which you refer to is the correct structure! :slight_smile:

thank you all of you,
i will try