you can creat a log file on the system..
every proccess created has a relationship , you can check in Proccess Control Block (if i not mistaking its in the pcb) and see the father of a proccess and older bruders.
this is how GetCurrentProcessId
here is a sumple code that enumarate and try to get different types of pid
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
int main(int argc, char *argv[])
{
int pid = -1;
HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe = { 0 };
pe.dwSize = sizeof(PROCESSENTRY32);
//assume first arg is the PID to get the PPID for, or use own PID
if (argc > 1) {
pid = atoi(argv[1]);
} else {
pid = GetCurrentProcessId();
}
if( Process32First(h, &pe)) {
do {
if (pe.th32ProcessID == pid) {
printf("PID: %i; PPID: %i\n", pid, pe.th32ParentProcessID);
}
} while( Process32Next(h, &pe));
}
CloseHandle(h);
}
You would grab the process handle, the code from diabloFalcon will do that for you. Then you open the process handle with "OpenProcessToken()" and pass that token to the "GetTokenInformation()" with 'TOKEN_USER' as the type. This will get you the Account SID which you would pass to the "LookupAccountName()" function. You may have to enable SE_DEBUG_NAME on the process you are querying this information from, yes that also means running this in an elevated session is necessary as well, to do this on a recent version of Windows. If you get error code 5 'ACCESS_DENIED' then you know you will have to enable that.