C++

Forum

 
How to know who execute an exe file?

john026 (2)
Hi, Everyone!

Is there a way to know who execute an exe file?

or

How can I determine which process creates a process or execute an exe file?
diabloFalcon (2)
you can creat a log file on the system..
every proccess created has a relationship , you can check in Proccess Control Block (if i not mistaking its in the pcb) and see the father of a proccess and older bruders.
this is how GetCurrentProcessId
here is a sumple code that enumarate and try to get different types of pid

(it's not my code)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>

int main(int argc, char *argv[]) 
{
    int pid = -1;
    HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 pe = { 0 };
    pe.dwSize = sizeof(PROCESSENTRY32);

    //assume first arg is the PID to get the PPID for, or use own PID
    if (argc > 1) {
    	pid = atoi(argv[1]);
    } else {
    	pid = GetCurrentProcessId();
    }

    if( Process32First(h, &pe)) {
    	do {
    		if (pe.th32ProcessID == pid) {
    			printf("PID: %i; PPID: %i\n", pid, pe.th32ParentProcessID);
    		}
    	} while( Process32Next(h, &pe));
    }

    CloseHandle(h);
}
closed account (48bpfSEw)
@john, ever used the tools of sysinternals? The processmonitor puts out a lot of information about running processes.

https://technet.microsoft.com/de-de/sysinternals/processmonitor.aspx
Computergeek01 (5613)
You would grab the process handle, the code from diabloFalcon will do that for you. Then you open the process handle with "OpenProcessToken()" and pass that token to the "GetTokenInformation()" with 'TOKEN_USER' as the type. This will get you the Account SID which you would pass to the "LookupAccountName()" function. You may have to enable SE_DEBUG_NAME on the process you are querying this information from, yes that also means running this in an elevated session is necessary as well, to do this on a recent version of Windows. If you get error code 5 'ACCESS_DENIED' then you know you will have to enable that.
john026 (2)
Thank you for your prompt reply!
I'm going to try these.
Topic archived. No new replies allowed.