public static List <ServiceInfo> GetServicesByPID(int pid)
{
bool doUpdate = false;
if (pid == -1) // -1 means get all and we always want a fresh list
{
doUpdate = true;
}
else
{
ServiceCacheLock.EnterReadLock();
doUpdate = ServiceCacheTime <= DateTime.FromFileTimeUtc(ProcFunc.GetProcessCreationTime(pid)).ToLocalTime();
ServiceCacheLock.ExitReadLock();
}
if (doUpdate)
{
RefreshServices();
}
ServiceCacheLock.EnterReadLock();
CloneableList <ServiceInfo> values;
if (pid == -1)
{
values = ServiceCacheByPID.GetAllValues();
}
else if (!ServiceCacheByPID.TryGetValue(pid, out values))
{
values = null;
}
ServiceCacheLock.ExitReadLock();
return((values != null && values.Count == 0) ? null : values);
}
public void CleanUpProcesses()
{
DateTime TimeOut = DateTime.Now.AddMinutes(-1);
// check all pids and remove all invalid entries
foreach (var pid in Processes.Keys.ToList())
{
var info = Processes[pid];
if (info.StopTime == null)
{
string filePath = ProcFunc.GetProcessFileNameByPID(pid);
if (filePath == null)
{
info.StopTime = DateTime.Now;
}
else if (!filePath.Equals(info.filePath, StringComparison.OrdinalIgnoreCase)) // to quick pid reuse
{
AppLog.Debug("Possible PID conflict (pid {0} reused): {1}", pid, filePath);
Processes.Remove(pid);
}
}
else if (info.StopTime < TimeOut)
{
Processes.Remove(pid);
}
}
}
public string GetProcessFileNameByPID(int processID)
{
ProcInfo info;
if (Processes.TryGetValue(processID, out info) && info.StopTime == null)
{
return(info.filePath);
}
string filePath = ProcFunc.GetProcessFileNameByPID(processID);
if (filePath == null)
{
return(null);
}
var startTime = ProcFunc.GetProcessCreationTime(processID);
if (startTime != 0)
{
if (info != null)
{
Processes.Remove(processID);
}
Processes.Add(processID, new ProcInfo()
{
filePath = filePath, StartTime = DateTime.FromFileTimeUtc(startTime)
});
}
return(filePath);
}
public ServiceInfo(ServiceController sc)
{
ServiceName = sc.ServiceName;
var ImagePath = GetServiceImagePath(sc.ServiceName);
ServicePath = ImagePath != null?ProcFunc.GetPathFromCmdLine(ImagePath) : "";
DisplayName = sc.DisplayName;
if (sc.Status == ServiceControllerStatus.Stopped)
{
LastKnownPID = -1;
}
else
{
var ssp = GetServiceStatus(sc.ServiceName);
LastKnownPID = ssp != null ? (int)ssp.dwProcessId : -1;
}
}
public void Reload()
{
Services.Clear();
Services.Add(new Service()
{
Content = Translate.fmt("svc_all"), Value = "*", Group = Translate.fmt("lbl_selec")
});
foreach (ServiceController svc in ServiceController.GetServices())
{
var ImagePath = ServiceHelper.GetServiceImagePath(svc.ServiceName);
var ServicePath = ImagePath != null?ProcFunc.GetPathFromCmdLine(ImagePath) : "";
Services.Add(new Service()
{
Value = svc.ServiceName, Path = ServicePath, Content = svc.DisplayName + " (" + svc.ServiceName + ")", Group = Translate.fmt("lbl_known")
});
}
}
public string GetAppPackageByPID_(int PID)
{
// WARNING: this is not consistent with the windows firewall, we need to go by the proces token
//var process = System.Diagnostics.Process.GetProcessById(PID); // throws error if pid is not found
var processHandle = ProcFunc.OpenProcess(0x1000 /*PROCESS_QUERY_LIMITED_INFORMATION*/, false, PID);
if (processHandle == IntPtr.Zero)
{
return(null);
}
uint cchLen = 256;
StringBuilder sbName = new StringBuilder((int)cchLen);
Int32 lResult = GetApplicationUserModelId(processHandle, ref cchLen, sbName);
if (ERROR_INSUFFICIENT_BUFFER == lResult)
{
sbName = new StringBuilder((int)cchLen);
lResult = GetApplicationUserModelId(processHandle, ref cchLen, sbName);
}
ProcFunc.CloseHandle(processHandle);
if (lResult != ERROR_SUCCESS)
{
return(null);
}
string sResult = sbName.ToString();
int pos = sResult.LastIndexOf("!"); // bla!App
if (pos != -1)
{
sResult = sResult.Substring(0, pos);
}
return(sResult);
}
public string GetAppPackageSidByPID(int PID)
{
//var process = System.Diagnostics.Process.GetProcessById(PID); // throws error if pid is not found
var processHandle = ProcFunc.OpenProcess(0x1000 /*PROCESS_QUERY_LIMITED_INFORMATION*/, false, PID);
if (processHandle == IntPtr.Zero)
{
return(null);
}
string strSID = null;
IntPtr tokenHandle = IntPtr.Zero;
if (ProcFunc.OpenProcessToken(processHandle, 8, out tokenHandle))
{
int retLen;
NtQueryInformationToken(tokenHandle, 31 /*TokenAppContainerSid*/, IntPtr.Zero, 0, out retLen);
IntPtr buffer = Marshal.AllocHGlobal((int)retLen);
ulong status = NtQueryInformationToken(tokenHandle, 31 /*TokenAppContainerSid*/, buffer, retLen, out retLen);
if (status >= 0)
{
var appContainerInfo = (TOKEN_APPCONTAINER_INFORMATION)Marshal.PtrToStructure(buffer, typeof(TOKEN_APPCONTAINER_INFORMATION));
ConvertSidToStringSid(appContainerInfo.Sid, ref strSID);
}
Marshal.FreeHGlobal(buffer);
ProcFunc.CloseHandle(tokenHandle);
}
ProcFunc.CloseHandle(processHandle);
return(strSID);
}
string GetPathFromCmd(string commandLine, int processID, string imageName /*, DateTime timeStamp*/, int parentID = 0)
{
if (commandLine.Length == 0)
{
return(null);
}
string filePath = ProcFunc.GetPathFromCmdLine(commandLine);
// apparently some processes can be started without a exe name in the command line WTF, anyhow:
if (!Path.GetFileName(filePath).Equals(imageName, StringComparison.OrdinalIgnoreCase) &&
!(Path.GetFileName(filePath) + ".exe").Equals(imageName, StringComparison.OrdinalIgnoreCase))
{
filePath = imageName;
}
// https://reverseengineering.stackexchange.com/questions/3798/c-question-marks-in-paths
// \?? is a "fake" prefix which refers to per-user Dos devices
if (filePath.IndexOf(@"\??\") == 0)
{
filePath = filePath.Substring(4);
}
filePath = Environment.ExpandEnvironmentVariables(filePath);
if (Path.IsPathRooted(filePath))
{
return(filePath);
}
// The file path is not fully qualifyed
// try to get the running processes path
if (processID != 0)
{
//Process proc = null;
//try { proc = Process.GetProcessById(processID); } catch { }
//if (proc != null)
//{
//var fileName = proc.GetMainModuleFileName();
var fileName = ProcFunc.GetProcessFileNameByPID(processID);
if (fileName != null)
{
// ensure its the right process
//var startTime = proc.StartTime.ToUniversalTime();
//if ((startTime - timeStamp).TotalSeconds < 1)
if (Path.GetFileName(fileName).Equals(imageName, StringComparison.OrdinalIgnoreCase))
{
return(fileName);
}
}
//}
}
// check relative paths based on the parrent process working directory
string workingDir = ProcessUtilities.GetCurrentDirectory(parentID);
if (workingDir != null)
{
var curPath = Path.Combine(workingDir, filePath);
if (filePath[0] == '.')
{
curPath = Path.GetFullPath(curPath);
}
if (File.Exists(curPath))
{
return(curPath);
}
if (File.Exists(curPath + ".exe"))
{
return(curPath + ".exe");
}
}
// if everythign else fails, try to find the process binary using the environment path variable
if (FindExeInPath(filePath, ref filePath))
{
return(filePath);
}
return(null);
}