I try to receive Parent Process Name by following:
- Take PEB for current process and takes Parent PID from InheritedFromUniqueProcessId.
- Try to take Parent Process Image name by ZwQueryInformationProcess(…, ProcessImageFileName, …).
Obviously, Parent process may not exist, it’s OK.
The problem, sometimes I receive name of another process!?!
(As told, PID assigning is random, but I met this problem few times, it is seen not so random.)
It’s understandable, that requested PID might be assigned to other, new process.
But I have checked, Process Explorer returns for this situation!
The Question: How to define that parent process really not exists?
Hi Michael,
First of all, you should not trust data in the PEB – the user-mode application can modify this. You can get the parent PID from the EPROCESS structure – if you’re in kernel you can use PsGetProcessInheritedFromUniqueProcessId(), or if you’re in user-mode then NtQueryInformationProcess can help you for native code, or the toolhelp API from Win32.
Same for the process image name – the API you’re using queries the image file name from the PEB, which is not trustworthy. If you’re in kernel, use SeLocateProcessImageName. If you’re in user-mode, there’s a different info class from that one, and the documented Win32API is QueryProcessFullImageName.
To answer your question however, PIDs in Windows are re-used, that’s why you can never trust that the parent PID is still around. What Process Explorer does is check the CreateTime of the child and parent. If the create time of the parent is later than the create time of the child, Mark assumes the Parent PID was re-used.
This technique works only if the user never sets the clock back (which Windows can do as well as part of time synchronization).
What you really need is a sequence number. CSRSS maintains one in the CSR_PROCESS structure, but that’s undocumented. In Windows 10, the kernel *finally* stores a per-process sequence number which can solve this issue. But I doubt you want your code to work on Windows 10 only 
The other option is to implement a filter driver by using PsSetProcessCreateNotifyRoutineEx. This way, you’ll get a notification for every PID Created/Terminated, and you can maintain your own state.
–
Best regards,
Alex Ionescu
Alex,
thanks a lot!
You gives me a lot of hints.
Unfortunately a lot of undocumented APIs and now I need to implement something and check for different configurations XP-W7/32-64-bits…
Very useful idea to check the time stamp of process creation!
I need only to find where this time stamp placed (PEB?PEPROCESS?), but I guess it will not the problem.
Using your hint, I found this one: http://www.rohitab.com/discuss/topic/40560-get-process-name-form-pid-in-kernel-mode-driver/ with useful code examples. I did not know about SeLocateProcessImageName().
Repeatedly thanks a lot!
Regards,
Michael.
Glad I could help!
SeLocateProcessImageName is actually in ntifs.h so it’s not strictly “undocumented”.
PsGetProcessInheritedFromUniqueProcessId is indeed strangely not in any official header file. I doubt the API has any chance of going away though. ZwQueryInformationProcess is, however, in the header files, as is ProcessBasicInformation. PROCESS_BASIC_INFORMATION is not officially fully documented, but it is unlikely to change – there’s a member there called InheritedFromUniqueProcessId. It’s extremely odd that Microsoft does not provide a “documented” interface for getting the parent PID of a process.
For create time, you’d want PsGetProcessCreateTimeQuadPart which is documented.
–
Best regards,
Alex Ionescu
Alex,
repeatedly thanks a lot,
a lot of really useful information!
Unfortunately, Boss asks me to develop other things now,
but I will return to “Parent Process Problem” later and my feeling, your info is exactly that I need.
Regards,
Michael.