How can I read the standard output of an already-running process?

Raymond Chen

A customer wanted to know if they could read the standard output of an already-running process. They didn’t explain why, but my guess is that their main process launches a helper process (not written by them) to begin some workflow, and eventually that helper process launches a console process, which produces the desired output. But they want their main process to read that output, presumably so they can continue automating the workflow.

Unfortunately, there is no way to read the standard output of an already-running process. Standard handles, like the environment variables and current directory, are properties of the process that are not exposed to outsiders by the system.¹

In particular, programs do not expect these properties to change asynchronously. For example, a program that might check the standard output handle and put up a progress spinner if it is a console but not if it is a pipe or file.

Some programs check whether their standard output handle refers to a console (in which case they will use functions like WriteConsoleW to get Unicode support or SetConsoleTextAttribute to get colors. Furthermore, the C runtime libraries typically check their standard output handle at startup to see whether it has been redirected to a file. This alters the behavior of standard I/O functions because buffering is enabled for non-interactive standard output. If you could change the standard output handle out from under a program’s nose, it would try using WriteConsoleW to write to something that isn’t a console any more. The calls would fail, and the program would generate no output at all.

It’s actually worse because it’s not uncommon for programs to call GetStdHandle and save the value in a variable, then use that variable to write to standard output instead of calling GetStdHandle every time. So even if you managed to change the standard output handle, you’d be too late.

What you have to do is find a way to influence the standard output of the console process at the point it is created. Since the presumed intention is for the output of the child process to be visible to the user, the console process probably inherits its standard output from its parent, so you can get the child to operate with redirected output by redirecting the output of the parent process. You’ll have to figure out how to distinguish the output of the parent from the output of the child, but so too did human beings who ran the helper process manually, so presumably there’s some consistent way of recognizing it.

¹ Of course, that doesn’t stop a program from explicitly exposing a custom mechanism for allowing other processes to manipulate them.

Author

Raymond Chen

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

5 comments

Discussion is closed. Login to edit/delete existing comments.

Igor Levicki December 15, 2025

@Melissa P

> Some processes are outside your scope, developed by 3rd parties that lack the experience to do it right.

In my 15+ year experience, it's usually one of the following:

- not understanding how 3rd party component is supposed to be used
- unwillingness to license optional 3rd party component that already exists and does what you want
- unwillingness to pay 3rd party change request to ease integration

> Then you have either the option to add quirks or state that your software cannot handle that. That either means excessive work at other places to compensate, or losing...
Read more
@Melissa P

> Some processes are outside your scope, developed by 3rd parties that lack the experience to do it right.

In my 15+ year experience, it’s usually one of the following:

– not understanding how 3rd party component is supposed to be used
– unwillingness to license optional 3rd party component that already exists and does what you want
– unwillingness to pay 3rd party change request to ease integration

> Then you have either the option to add quirks or state that your software cannot handle that. That either means excessive work at other places to compensate, or losing customers.

The moment you put an equal sign between “inject remote thread into 3rd party process” and “add quirks” is the moment you should stop what you are doing, and do some introspection.

“Add hacks or lose customers” is a false dichotomy. The real alternatives are to define supported behavior, fix the integration at the correct boundary, or push the change to the component that’s actually broken.

Adding “quirks” just hides the problem, increases long‑term cost, and shifts risk onto code that now has to emulate undefined behavior indefinitely without any guarantee that next 3rd party update won’t break it with consequences that can range from “your process crashed” to “vendor’s process billed the wrong customer” to “ATM entered reboot loop and bank demands comping the penalties they were charged by VISA and MasterCard for downtime”.

> To put it in perspective: You can sell a car which only runs on perfectly maintained roads with perfect surfaces and markings. The question is if anyone will buy such a car or if authorities as a consequence will make every single road perfect. It’s a choice. If you’re the only car manufacturer, or the most important one, this consideration works.

Except that 3rd parties aren’t regulators — they’re just another component in the system.

Treating them as authorities to be accommodated shifts responsibility away from your own integration design and encourages hacks that hide problems instead of solving them properly.

> Adding quirks is a common thing in a non-perfect world. You find it in the Unix/Linux world to make broken hardware compatible and runnable, you find it in the Windows world to make broken software run. And vice versa. You can also ask the original manufacturer of the 3rd party component, but that usually ends in either “we don’t care at all” or “we lost the source code”.

Something being common doesn’t mean it’s the right thing to do.

> Now the question of course is, are you doing the right thing in the first place, or misunderstanding the concept of what you’re supposed to do. That is part of risk analysis. Suggestions like these are not coming from managers; managers just delegate nonsense that other developers proposed as solutions.

The question is — will you be that developer such “solutions” are delegated to, or will you have some professional integrity to say “no, let those who proposed this write it”?

Read less
Joshua Hudson December 4, 2025

There once was a Visual Studio bug that was leaking directory handles. For this reason I have lying around the *correct* routine to replace a handle in a process without breaking anything, so yes I *can* swap out a process’s standard output handle. This probably won’t work very well here because the target process most likely will have generated output already.

I recommend using a loopback ssh connection to gather the output.
Melissa P December 4, 2025

but you can inject a drone (remote thread) into the process and read the PEB for the standard handle values; in case of the mentioned issue that standard handles aren't used (read) anymore you can detect what mechanism (which standard lib) is writing into stdout/conout and proxy those methods to capture the output while keeping the existing writes intact -- so it's doable but very hacky and very program specific -- no generic solution but if the end justifies the means it is possible to do so ...

... done that once to "fix" broken process output that used their own...
Read more
but you can inject a drone (remote thread) into the process and read the PEB for the standard handle values; in case of the mentioned issue that standard handles aren’t used (read) anymore you can detect what mechanism (which standard lib) is writing into stdout/conout and proxy those methods to capture the output while keeping the existing writes intact — so it’s doable but very hacky and very program specific — no generic solution but if the end justifies the means it is possible to do so …

… done that once to “fix” broken process output that used their own code page character generation instead of NLS and generated garbled binary output on a text console

Read less
- Igor Levicki December 5, 2025
  
  Technically possible? Yes.
  
  But hear me out — requests like this come from managers who ask the dev to “just make it work”. Resulting kludges come from devs who can’t say “No” to such requests. I can understand when the reason is fearing for their job if they refuse, but worst kludges come from devs who think they are clever and treat it as a challenge — they are the most dangerous ones.
  - Melissa P December 7, 2025
    
    It depends. In the end it's risk analysis. Some processes are outside your scope, developed by 3rd parties that lack the experience to do it right. Then you have either the option to add quirks or state that your software cannot handle that. That either means excessive work at other places to compensate, or losing customers.
    
    To put it in perspective: You can sell a car which only runs on perfectly maintained roads with perfect surfaces and markings. The question is if anyone will buy such a car or if authorities as a consequence will make every single road perfect. It's...
    Read more
    It depends. In the end it’s risk analysis. Some processes are outside your scope, developed by 3rd parties that lack the experience to do it right. Then you have either the option to add quirks or state that your software cannot handle that. That either means excessive work at other places to compensate, or losing customers.
    
    To put it in perspective: You can sell a car which only runs on perfectly maintained roads with perfect surfaces and markings. The question is if anyone will buy such a car or if authorities as a consequence will make every single road perfect. It’s a choice. If you’re the only car manufacturer, or the most important one, this consideration works.
    
    Adding quirks is a common thing in a non-perfect world. You find it in the Unix/Linux world to make broken hardware compatible and runnable, you find it in the Windows world to make broken software run. And vice versa. You can also ask the original manufacturer of the 3rd party component, but that usually ends in either “we don’t care at all” or “we lost the source code”.
    
    Now the question of course is, are you doing the right thing in the first place, or misunderstanding the concept of what you’re supposed to do. That is part of risk analysis. Suggestions like these are not coming from managers; managers just delegate nonsense that other developers proposed as solutions.
    
    Read less

Stay informed

Get notified when new posts are published.

Email *

Country/Region *

I would like to receive the The Old New Thing Newsletter. Privacy Statement.

Follow this blog

How can I read the standard output of an already-running process?

Author

5 comments

Read next

How can my process read its own standard output?

How does Windows synthesize `CF_OEMTEXT` from `CF_TEXT` and vice versa?

Author

5 comments

Read next

How can my process read its own standard output?

How does Windows synthesize CF_OEM­TEXT from CF_TEXT and vice versa?

Stay informed

How does Windows synthesize `CF_OEMTEXT` from `CF_TEXT` and vice versa?