@PID and system processes?

[vefatica]

Why doesn't @PID work with a system process? TASKLIST can pair up PIDs and process names for system processes.

v:\> echo %@pid[serv-u.exe.exe]
0

v:\> echo %@word[0,%@execstr[tasklist | ffind /k /m /t"serv-u"]]
1804

 

[rconn]

Because Microsoft doesn't want you to do that if you're not running an elevated session. (Works fine elevated.)

Specifically, the reason it doesn't work is because GetModuleFileNameEx() fails on system processes if you're not elevated. @PID needs to call GetModuleFileNameEx() so it can compare pathnames, not just a shortname.

 

[vefatica]

I see. I never knew @PID used paths. It makes sense that windows won't give you WM_READ for a system process.

It's funny, though, that ProcessExplorer, which doesn't require elevation, will show you the fully-qualified name in a balloon if you hover on an exe name or if you look at the properties of such a process. I wonder how it's done.

 

[AnrDaemon]

A signed program could self-elevate without a user's consent, if certificate permits.