Getting command line parameter of process

Sourabh_Arvikar · January 28, 2015, 3:53am

Hi

Is it possible to retrieve command line of process in load image notification call back.

Thanks
Sourabh

Koby_Kahane · January 28, 2015, 3:57am

The process command line is not directly available in PsSetLoadImageNotifyRoutine’s callback, but you can use PsSetCreateProcessNotifyRoutineEx (available in Vista SP1+). In the CreateProcessNotifyEx callback the command line is available in PS_CREATE_NOTIFY_INFO (CreateInfo) in the CommandLine field.

Sourabh_Arvikar · January 28, 2015, 4:01am

yup i can get cmd line by using PsSetCreateProcessNotifyRoutineEx onward vista sp1

but

what should i do for xp ?

Koby_Kahane · January 28, 2015, 4:39am

Retrieve PROCESS_BASIC_INFORMATION with ZwQueryInformationProcess to determine the PEB’s address. Examine the ProcessParameters field of the PEB (the struct is “partially documented” in winternl.h). The command line is in the CommandLine field of that structure. Note that since this is user memory the command line may have been modified since the process was started and in general may not be trustworthy.

Another approach, if you don’t need the command line synchronously, is to retrieve the command line from user mode. This can be done, e.g., by retrieving the CommandLine field of the Win32_Process object for the process of interest with WMI. I suppose that could be considered “more documented” than examining the PEB directly.

Sourabh_Arvikar · January 28, 2015, 5:18am

Thanks
But Win32_Process class supported vista onward.

Koby_Kahane · January 28, 2015, 5:35am

That’s a mistake in the current documentation (maybe because new fields were added for Vista, or something). Win32_Process is certainly available on Windows XP and even on Windows 2000, etc.

Sourabh_Arvikar · January 28, 2015, 6:15am

Ok

raj_r · January 28, 2015, 6:57am

C:\>ver & wmic process get Caption,Name,commandline /format:list | findstr csrs
s

Microsoft Windows XP [Version 5.1.2600]
Caption=csrss.exe
CommandLine=C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection
=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=wi
nsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2
ProfileControl=Off MaxRequestThreads=16
Name=csrss.exe

On 1/28/15, xxxxx@gmail.com wrote:
> Ok
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>