AutoHotkey Community
It is currently May 24th, 2012, 6:07 pm

View unanswered posts | View active topics


Board index » AutoHotkey » Support

All times are UTC [ DST ]



Post new topic Reply to topic  Page 1 of 1
  [ 7 posts ] 
  Print view | E-mail friend Previous topic | Next topic 
Author Message
carsong
PostPosted: February 12th, 2007, 12:25 am 
Offline

Joined: October 14th, 2006, 8:46 am
Posts: 18
Is it possible to retrieve the actual command line used to start a process?

For example, sysinternals.com process explorer, shows this information when you bring up the program:

Image

In the above image, the netdrive.exe process was started with /trayicon and I see the entire path.

I would like to grab the same information without bringing the process exploer, especially the command line arguments used to start a process.

WinGet almost gets there, but it doesn't have process path, or argument information.

Is there a way to do this?

btw: I used this query to search the forum: process command line arguments start

Thank you!


Report this post
Top
 Profile  
Reply with quote  
Phe0n1x
 Post subject:
PostPosted: February 12th, 2007, 2:35 am 
Offline

Joined: December 27th, 2006, 11:30 pm
Posts: 29
i know you can get the PID (Process Identification) out of a program...but you probably already tried that. I'm guess the data is in the memory and the site is just accessing your computer's memory


Report this post
Top
 Profile  
Reply with quote  
Helpy
 Post subject:
PostPosted: February 12th, 2007, 11:04 am 
process list+file names+command lines


Report this post
Top
  
Reply with quote  
Sean
PostPosted: February 12th, 2007, 4:01 pm 
Offline

Joined: February 12th, 2007, 7:54 am
Posts: 2462
carsong wrote:
WinGet almost gets there, but it doesn't have process path, or argument information.

From this, I assume that you can get the PID of the application, and that the application is not a service. I posted one method to do it:
http://www.autohotkey.com/forum/viewtopic.php?t=16575


Report this post
Top
 Profile  
Reply with quote  
carsong
PostPosted: February 13th, 2007, 12:32 pm 
Offline

Joined: October 14th, 2006, 8:46 am
Posts: 18
Sean wrote:
...I assume that you can get the PID of the application, and that the application is not a service. I posted one method to do it:
http://www.autohotkey.com/forum/viewtopic.php?t=16575


This is great! However, it doesn't always have the full path to the command whch started whatever pid I'm pointing at (doesn't happen that often thogh). If its easy, can you add that bit to your code?

btw: I tried to look at shimanov's code and :S

I'm using this script:

Code:
capslock & p::
  if not watching
  {
    SetTimer, WatchCursor, 1
    watching = 1
  }
  else
  {
    SetTimer, WatchCursor, off
    watching = 0
  }
return

WatchCursor:
  if GetKeyState("LShift", "P")
  {
    clipboard = %sCmdLine%
  }
  else if GetKeyState("Esc", "P")
  {
    SetTimer,WatchCursor, off
    Tooltip
    return
  }
 
  MouseGetPos, , , id, control
  WinGetTitle, title, ahk_id %id%
  WinGetClass, class, ahk_id %id%

  WinGet, pid, PID, %title%

  VarSetCapacity(sCmdLine, 512)
  pFunc := DllCall("GetProcAddress"
     , "Uint", DllCall("GetModuleHandle", "str", "kernel32.dll")
     , "str", "GetCommandLineA")

  hProc := DllCall("OpenProcess", "Uint", 0x3A, "int", 0, "Uint", pid)

  hThrd := DllCall("CreateRemoteThread", "Uint", hProc, "Uint", 0, "Uint", 0
     , "Uint", pFunc, "Uint", 0, "Uint", 0, "Uint", 0)

  DllCall("WaitForSingleObject", "Uint", hThrd, "Uint", 0xFFFFFFFF)
  DllCall("GetExitCodeThread", "Uint", hThrd, "UintP", pcl)
  DllCall("ReadProcessMemory", "Uint", hProc, "Uint", pcl, "str", sCmdLine, "Uint", 512, "Uint", 0)

  DllCall("CloseHandle", "Uint", hThrd)
  DllCall("CloseHandle", "Uint", hProc)

  ToolTip, LShfit: copies to clipboard`, ESC removes tooltip.`n%sCmdLine%
return


Report this post
Top
 Profile  
Reply with quote  
Sean
PostPosted: February 13th, 2007, 1:58 pm 
Offline

Joined: February 12th, 2007, 7:54 am
Posts: 2462
carsong wrote:
it doesn't always have the full path to the command whch started whatever pid I'm pointing at (doesn't happen that often thogh).

I'm not sure what you exactly mean here. Did it return an empty result, or simply without a full path?
If the first, then, need to enable the Debug privilege, but if the second, it's normal as sometimes an application is started without a fullpath specified. In the latter case, you should rely on other means to obtain the fullpath.
I modified the script a little to obtain the full path too.

Quote:
btw: I tried to look at shimanov's code and :S

I think he navigates the PEB of the process. Actually, it can give a lot more informations if knows how to do it, but unfortunately, it's not a documented feature though pretty well uncovered already.


Report this post
Top
 Profile  
Reply with quote  
carsong
PostPosted: February 14th, 2007, 4:06 am 
Offline

Joined: October 14th, 2006, 8:46 am
Posts: 18
Sean wrote:
I'm not sure what you exactly mean here. Did it return an empty result, or simply without a full path?


Oh, no problem. I have enough to go with... the absolute path of the file would have been icing on the cake! :D

Thank you much!


Report this post
Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 7 posts ] 

Board index » AutoHotkey » Support

All times are UTC [ DST ]

Who is online

Users browsing this forum: 0x150||ISO, Exabot [Bot], Rathgar2, rbrtryn, Xx7, Yahoo [Bot] and 76 guests

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Group