Commands related to processes and threads
This module provides procedures related to process, thread and shared library management.
The commands get_process_ids and get_current_process_id retrieve process id (PID) information. get_process_parent returns the PID for the parent process. The commands is_system_pid and is_idle_pid determine if the given PID is that of the system or idle process.
The command get_current_thread_id retrieves the current thread id (TID). get_thread_parent_process_id retrieves the PID of the process containing the specified thread. get_process_thread_ids retrieves the TID's of all threads in the specified process.
Process and thread handles with the appropriate access rights may retrieved through the get_process_handle and get_thread_handle commands respectively. A process handle may be mapped back to the corresponding PID through get_pid_from_handle.
get_process_name and get_process_path get the name and path respectively for a process. The command get_process_info retrieves detailed information about internal process data. Similarly, get_thread_info retrieves detailed information about a thread.
get_process_commandline retrieves the command line with which a process was invoked.
process_exists checks for the existence of a process. The command process_waiting_for_input can be used to check if a process is waiting for input, and more specifically if it has finished initialization.
get_process_modules retrieves information pertaining to the modules and DLL's loaded into a process. The commands get_module_handle and get_module_handle_from_address retrieve handles to individual modules in the current process.
The commands create_process and end_process allow creation and termination of a process. The exit code from a process can be retrieved with the get_process_exit_code command.
The commands suspend_thread and resume_thread allow threads to be suspended and resumed.
The commands get_priority_class, set_priority_class, get_thread_relative_priority and set_thread_relative_priority deal with retrieving and setting process and thread scheduling priorities.
get_device_drivers retrieves information about the device drivers loaded on the system.
Commands is_wow64_process deal with features related to 64-bit Windows.
Command process_in_administrators can be used to check if the current process is in the administrators group.
Commands get_process_elevation, get_process_integrity and, set_process_integrity and, virtualized_process, set_process_virtualization deal with Windows UAC related features.
The following commands deal with environment variables.
expand_environment_vars | Replaces environment variables in a string with their values in the current process. |
expand_system_environment_vars | Replaces system environment variables in a string with their values. |
expand_user_environment_vars | Replaces environment variables in a string with the environment values defined for a specific user. |
get_system_environment_vars | Returns a dictionary of system environment variables and their values. |
get_user_environment_vars | Returns a dictionary of environment variables and their values for a specific user. |
The commands load_user_profile and unload_user_profile deal with loading of user profiles.
-background COLORLIST | Specifies the background color if the child process receives a new console. COLORLIST is a list of one or more of the following values: blue, red, green, bright, white and black. The specified colors are combined to form the foreground color. The default is black. |
-cmdline CMDLINE | Specifies the command line to be passed to the created process. This generally includes the program being executed as the first token in CMDLINE. Caller should ensure that CMDLINE is quoted appropriately. The -cmdline option must be specified if the PROGRAM parameter is empty. |
-childprocesssecd SECURITY_DESCRIPTOR | Specifies a security descriptor for the child process. If unspecified, the default security descriptor is used. |
-childthreadsecd SECURITY_DESCRIPTOR | Specifies a security descriptor for the child thread. If unspecified, the default security descriptor is used. |
-createsuspended BOOLEAN | If BOOLEAN is true, the process and thread are created suspended. The process will not run until the thread is resumed with a call to resume_thread. |
-debugchild BOOLEAN | If BOOLEAN is true, indicates that the calling thread will be debugging the child process being created. The thread is notified of debug events in the child process. There is currently no way to receive these events. |
-dontdebugchild BOOLEAN | If the calling process is itself being debugged, then any debug events from the child process are sent to the debugger if BOOLEAN is false. Otherwise, the child process has no interaction with the debugger. |
-desktop DESKTOPNAME | Specifies the desktop, optionally along with the window station, for the new process. By default, this is the same as the current process. If DESKTOPNAME is the empty string, the system determines if a new desktop and window station need to be created. |
-detached BOOLEAN | This option only affects console processes. If BOOLEAN is 0, the child process inherits the current process' console. If BOOLEAN is 1, the console is not inherited. |
-env LIST | Specifies the environment variables inherited by the child process. LIST is a flat list of the form returned by array get consisting of ENVVARNAME VALUE pairs. By default, the child process inherits the same environment variables as the current process. |
-feedbackcursoron BOOLEAN | If true, specifies that the feedback cursor (normally a pointer with an hourglass) is shown while the new process starts up. |
-feedbackcursoroff BOOLEAN | If true, specifies that the feedback cursor is not shown while the new process starts up. |
-foreground COLORLIST | Specifies the foreground color if the child process receives a new console. COLORLIST is a list of one or more of the following values: blue, red, green, bright, white and black. The specified colors are combined to form the foreground color. The default is white. |
-fullscreen BOOLEAN | If true, the child process is run in full screen mode if it is a console process. |
-inheritablechildprocess BOOLEAN | If true, the handle to the child process is inheritable by other child processes spawned off later. |
-inheritablechildthread BOOLEAN | If true, the handle to the thread in the child process is inheritable by other child processes spawned off later. |
-inheriterrormode BOOLEAN | If true (default), the child process inherits the error mode setting of the current process. |
-inherithandles BOOLEAN | If true, the child process will inherit all inheritable handles of the current process. |
-newconsole BOOLEAN | If true, a new console is created for the child process if it is a console mode program. By default, the child process inherites the console of the current process if that latter is also a console mode program. This option cannot be used with the -detached option. |
-newprocessgroup BOOLEAN | If true, the created process is made the root of a new process group identified by the PID of the new process. The default value is false and the new process belongs to the same process group as the calling process. |
-priority PRIORITY | Specifies the priority of the child process. This should have one of the values normal, abovenormal, belownormal, high, realtime, or idle. |
-returnhandles BOOLEAN | Normally the create_process command returns only the ids of the created process and thread. If this option is specified as true, the command appends handles of the child process and thread to the return value. These must later be closed by calling the close_handles command. |
-screenbuffersize XY | For console processes, this controls the initial width and height of the screen buffer in characters. XY can be specified as either a list of two integers or as a X,Y string. |
-separatevdm BOOLEAN | If true, child processes that are 16-bit executables are started in a separate virtual machine. By default, the system will follow the setting specified in the registry. |
-sharedvdm BOOLEAN | If true, child processes that are 16-bit executables are started in a common virtual machine. By default, the system will follow the setting specified in the registry. |
-showwindow WINDOWMODE | Specifies the mode in which the first window of the child process is displayed. WINDOWMODE must be one of normal (default), minimized, maximized or hidden. |
-startdir PATH | Specifies the initial starting directory of the child process. By default the child process starts in the calling thread's current directory. |
-stdhandles HANDLELIST | Specifies the standard input and output handles for
the child process. HANDLELIST is a list of three
elements corresponding to the handles to be used for standard
input, standard output and standard error respectively. The handle
values passed must be Windows handles and must be inheritable.
Also, the -inherithandles option must be true if
-stdhandles is specified. Note that if these
handles correspond to files, the file position pointer is shared
with the child process. This option cannot be used together with the -stdchannels option. |
-stdchannels CHANNELS | Specifies the standard input and output handles for
the child process. CHANNELS is a list of three
elements corresponding to the Tcl channels to be used for standard
input, standard output and standard error respectively. Note that
if these channels correspond to files, the file position pointer is
shared with the child process. This option cannot be used together with the -stdhandles option. Also, the -inherithandles option must be true if -stdchannels is specified. |
-title TITLE | Specifies the text to diaplay in the title bar if the child process is a console program and receives a new console. By default, the name of the executable is displayed. |
-windowpos XY | Specifies the initial position in pixels of the top left corner of the main window of the child process if the child creates the window using defaults. XY can be specified as either a list of two integers or as a X,Y string. |
-token TOKEN | Specifies that the created process should run under the account identity and logon session of the specified access token instead of that of the parent process. |
-windowsize XY | Specifies the initial size in pixels of the main window of the child process if the child creates the window using defaults. XY can be specified as either a list of two integers or as a X,Y string. |
-force | If this option is specified, the process will be forcibly terminated if it does not terminate in response to WM_CLOSE messages. |
-wait MS | Normally, the function will return without actually waiting for the process to end. If this option is specified, the function returns after waiting for MS milliseconds for the process to end. |
-exitcode EXITCODE | Specifies the exit code that should be returned by the terminating process. This is 1 by default. Depending on the application being terminated, this may not be the actual exit code returned on application exit. Caller should not rely on this. |
-all | Returns all device driver attributes below. |
-base | Returns the base address in memory where the driver is loaded |
-path | Returns the path to the file from which the driver was loaded. In some cases, this may not contain a fully qualified path. |
-name | Returns the name of the driver - generally the file name portion of the file from which the driver was loaded. |
-noexist DEFAULTVALUE | If a process does not exist, the command returns the string "(no such process)". This option may be used to specify a different string to be returned for non-existent processes. |
-noaccess DEFAULTVALUE | If a process exists but cannot be accessed to retrieve the name, the command normally returns the string "(unknown)". This option may be used to specify a different string to be returned in such cases. |
-glob | This option modifies the meaning of the -path and -name options. Normally, the match is done using case-insensitive, exact comparison. If -glob is specified, the PROCESSNAME and EXECUTABLEPATH are matched using glob-style pattern matching as in Tcl's string match command. |
-name PROCESSNAME | If this option is specified, the returned list only includes those processes whose name matches PROCESSNAME. Generally the name is the same as the filename portion of the executable file path. If this information is not available for a process, it is not included in the returned list. This option cannot be used with the -path option. |
-path EXECUTABLEPATH | If this option is specified, the returned list only includes those processes created from the executable file matching EXECUTABLEPATH. If this information is not available for a process, it is not included in the returned list. This option cannot be used with the -name option. |
-logonsession LUID | If this option is specified, the returned list only includes those processes running inside the logon session identified by the specified LUID. |
-user ACCOUNT | If this option is specified, the returned list only includes those processes running under the specified account. ACCOUNT may be either a user name or its SID. |
-all | Returns all values except those for unsupported options. |
-basepriority | Returns the base priority of the process. |
-commandline | Returns the command line with which the process was invoked. |
-createtime | Returns the time the process was created as the number of 100ns units since Jan 1, 1601. This can be converted to a date and time string by passing it to large_system_time_to_secs and formatting the result using clock format. |
-disabledprivileges | Returns the list of privileges for the process that are currently disabled. |
-elapsedtime | Returns the total time (seconds) that the process has been running. |
-elevation | Returns the elevation level of the process (see get_process_elevation). |
-enabledprivileges | Returns the list of privileges that are enabled in the process. |
-groupattrs | Returns the list of groups SIDs and attributes in the process security token. See get_token_info for a description of the return value. |
-groups | Returns the list of the names of groups that the process belongs to. An error will be raised if any group SID's cannot be mapped to a name. Use -groupsids to avoid this. |
-groupsids | Returns the list of SIDs of groups that the process belongs to. |
-handlecount | Returns the number of handles that the process currently has open. |
-integrity | Returns the numeric integrity level of the process (see get_process_integrity). |
-integritylabel | Returns the label for the integrity level range of the process (see get_process_integrity). |
-iootherbytes | Returns number of non-data bytes the process has read or written through I/O operations. |
-iootherops | Returns number of non-data I/O operations the process has executed. |
-ioreadbytes | Returns number of data bytes the process has read through I/O operations. |
-ioreadops | Returns number of data read I/O operations the process has executed. |
-iowritebytes | Returns number of data bytes the process has written through I/O operations. |
-iowriteops | Returns number of data write I/O operations the process has executed. |
-logonsession | Returns the LUID of the logon session for the process. |
-name | Returns the name of the process. This is identical to the value returned by the get_process_name function. |
-noaccess DEFAULTVALUE | If a process exists but cannot be accessed to retrieve the name, the command normally returns the string "(unknown)". This option may be used to specify a different string to be returned in such cases. |
-noexist DEFAULTVALUE | If a process does not exist, the command returns the string "(no such process)". This option may be used to specify a different string to be returned for non-existent processes. |
-pagefilebytes | Returns total number of bytes in use for this process in all the system paging files. |
-pagefilebytespeak | Returns the maximum number of bytes that have been used for this process in the system paging file since the process started. |
-parent | Returns id of the process that invoked this process. For the system and system idle processes, an empty string is returned since they have no parent process. |
-path | Returns the path to the executable file from which this process was invoked. This value is the same as that returned by the get_process_path command. |
-pid | Returns the process id of this process, which will be identical to that passed in as the PID argument if the process exists. Otherwise it is set to the value of the -noexist option. |
-poolnonpagedbytes | Returns the number of bytes of nonpaged pool memory in use for the process. |
-poolpagedbytes | Returns the number of bytes of paged pool memory in use for the process. |
-primarygroup | Returns the primary group that the process belongs to. For domain accounts, an error is raised if the domain is unreachable. Use -primarygroupsid to avoid this. |
-primarygroupsid | Returns the SID of primary group that the process belongs to. |
-priorityclass | Returns the priority class of the process. |
-privilegedtime | The amount of privileged context CPU time used by the process in 100ns units. |
-privileges | Returns the list of enabled and disabled process privileges in the same format as get_token_privileges. Deprecated, use -enabledprivileges and -disabledprivileges instead. |
-restrictedgroupattrs | Returns the list of restricted group SIDs and attributes in the process security token. See get_token_info for a description of the return value. |
-restrictedgroups | Returns the list of restricted groups in the process security token. For domain accounts, an error is raised if the domain is unreachable. Use -restrictedgroupattrs to avoid this. |
-threadcount | Returns the total number of threads in the process. |
-tids | Returns a list of ids of the threads in the process. |
-tssession | Returns the terminal server session id of the process. |
-user | Returns the user account under which the process is running. |
-usertime | The amount of user context CPU time used by the process in 100ns units. |
-virtualbytes | Returns the current size of the process' virtual address space. |
-virtualbytespeak | Returns the maximum amount of virtual address space that the process has used in the course of its execution. |
-virtualized | Returns trued if the process is virtualized and false otherwise. See virtualized_process. |
-workingset | Returns the number of bytes currently in the process' working set. |
-workingsetpeak | Returns the maximum number of bytes in the process' working set since it began execution. |
-all | Returns the data for all options described below. |
-base | Includes the base address of the module. |
-entry | Includes the address of the entry point to the module. |
-handle | Includes the handle to the module in the returned data for each module. |
-name | Includes the name of the module - generally the file name portion of the path. |
-path | Includes the full path from which the module was loaded. |
-size | Includes the size of the module. |
-noexist DEFAULTVALUE | If a process does not exist, the command returns the string "(no such process)". This option may be used to specify a different string to be returned for non-existent processes. |
-noaccess DEFAULTVALUE | If a process exists but cannot be accessed to retrieve the name, the command normally returns the string "(unknown)". This option may be used to specify a different string to be returned in such cases. |
-noexist DEFAULTVALUE | If a process does not exist, the command returns the string "(no such process)". This option may be used to specify a different string to be returned for non-existent processes. |
-noaccess DEFAULTVALUE | If a process exists but cannot be accessed to retrieve the parent, the command normally returns the string "(unknown)". This option may be used to specify a different string to be returned in such cases. |
-noexist DEFAULTVALUE | If a process does not exist, the command returns the string (no such process). This option may be used to specify a different string to be returned for non-existent processes. |
-noaccess DEFAULTVALUE | If a process exists but cannot be accessed to retrieve the path information, the command normally returns the string (unknown). This option may be used to specify a different string to be returned in such cases. |
-all | Returns all values. |
-basepriority | Returns the base priority of the thread. |
-contextswitches | Returns the number of context switches done by the thread. |
-createtime | Returns the time the thread was created as the number of 100ns units since Jan 1, 1601. This can be converted to a date and time string by passing it to large_system_time_to_secs and formatting the result using clock format. |
-disabledprivileges | Returns the list of privileges for the thread that are currently disabled. |
-elapsedtime | Returns the total time (seconds) that the thread has been running. |
-enabledprivileges | Returns the list of privileges that are enabled in the thread. |
-groupattrs | Returns the list of groups SIDs and attributes in the thread's security token. See get_token_info for a description of the return value. |
-groups | Returns the list of the names of groups that the thread belongs to. An error will be raised if any group SID's cannot be mapped to a name. Use -groupsids to avoid this. |
-groupsids | Returns the list of SIDs of groups that the thread belongs to. |
-interval INTERVAL | Specifies the number of milliseconds over which rate based fields are to be measured. The command will not return until this time has elapsed. By default this is 100ms. If none of the fields requested is a rate based field, this option is ignored and the command returns immediately. |
-noaccess DEFAULTVALUE | If a thread but cannot be accessed, the command normally returns the string "(unknown)". This option may be used to specify a different string to be returned in such cases. |
-noexist DEFAULTVALUE | If a thread does not exist, the command returns the string "(no such thread)". This option may be used to specify a different string to be returned for non-existent threads. |
-pid | Returns the id of the process the thread belongs to. |
-primarygroup | Returns the primary group that the thread belongs to. For domain accounts, an error is raised if the domain is unreachable. Use -primarygroupsid to avoid this. |
-primarygroupsid | Returns the SID of primary group that the process belongs to. |
-priority | Returns the current priority of the thread. |
-privilegedtime | The amount of privileged context CPU time used by the thread in 100ns units. |
-privileges | Returns the list of the current thread privileges. Deprecated, use -enabledprivileges and -disabledprivileges instead. |
-relativepriority | Returns the priority level of the thread relative to the priority class of the containing process. |
-restrictedgroupattrs | Returns the list of restricted group SIDs and attributes in the thread's security token. See get_token_info for a description of the return value. |
-restrictedgroups | Returns the list of restricted groups in the thread's security token. For domain accounts, an error is raised if the domain is unreachable. Use -restrictedgroupattrs to avoid this. |
-startaddress | Returns the address at which the thread began execution. |
-state | Returns the current state of the thread. |
-tid | Returns the thread id of this process (which should be identical to that passed in as the TID argument. |
-user | Returns the user account under which the thread is running. |
-usertime | The amount of user context CPU time used by the thread in 100ns units. |
-waitreason | Returns the reason a thread is in wait state. This is only valid when the state field is 5 indicating the thread is in a wait state. |
-defaultuserpath PATH | Specifies the path for the default user profile in case no profile has yet been created for this user. |
-noui BOOLEAN | If true, no dialogs are displayed in case of error. Default is false. |
-roamingprofilepath PATH | Specifies the path to the user's roaming profile if he has one. Caller can use the -profile option to the get_user_account_info command to retrieve this. |
-servername SERVERNAME | Specifies the authenticating domain controller for the passed token in NETBIOS format. |
-username USERNAME | Specifies the user name to be used for the profile. By default the user name associated with TOKEN is used. |
-path EXECUTABLEPATH | If this option is specified, the matched process must have been created from the executable file matching EXECUTABLEPATH. This option cannot be used with the -name option. |
-name PROCESSNAME | If this option is specified, the matched process must have a name that matches PROCESSNAME. Generally the name is the same as the filename portion of the executable file path. This option cannot be used with the -path option. |
-glob | This option modifies the meaning of the -path and -name options. Normally, the match is done using case-insensitive, exact comparison. If -glob is specified, the PROCESSNAME and EXECUTABLEPATH are matched using glob-style pattern matching. |
Copyright © 2003-2020 Ashok P. Nadkarni