{"id":15923,"date":"2009-11-25T07:00:00","date_gmt":"2009-11-25T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2009\/11\/25\/how-do-i-get-the-command-line-of-another-process\/"},"modified":"2009-11-25T07:00:00","modified_gmt":"2009-11-25T07:00:00","slug":"how-do-i-get-the-command-line-of-another-process","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20091125-00\/?p=15923","title":{"rendered":"How do I get the command line of another process?"},"content":{"rendered":"

\nWin32 doesn’t expose a process’s command line to other processes.\nFrom Win32’s point of view, the command line is just a\n\nconveniently\ninitialized parameter to the process’s startup code<\/a>,\nsome data copied from the launching process to the new process\nand forgotten.\nWe’ll get back to the Win32 point of view a little later.\n<\/p>\n

\nIf you look around in WMI, you’ll find a\nWin32_Process<\/code> object, and lo and behold,\nit has a CommandLine<\/code> property.\nLet’s check it out,\nusing the\n\nstandard WMI application<\/a>:\n<\/p>\n

\nstrComputer = \".\"\nSet objWMIService = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2\")\nSet colItems = objWMIService.ExecQuery(\"Select * from Win32_Process<\/font>\")\nFor Each objItem in colItems\n     Wscript.Echo objItem.Name<\/font>\n     Wscript.Echo objItem.CommandLine<\/font>\nNext\n<\/pre>\n
\nI fully anticipate that half of my readers will stop right there.\n“Thanks for the script. Bye!”\nAnd they won’t bother reading the analysis.\n“Because analysis is boring,\nand it’ll just tell me stuff I don’t want to hear.\nThe analysis is going to tell me why this won’t work,\nor why it’s a bad idea,\nand that just cramps my style.”\n<\/p>\n
\nRemember that from Win32’s point of view,\nthe command line is\njust a string that is copied into the address space of the new process.\nHow the launching process and the new process interpret this string\nis governed\n\nnot by rules but by convention<\/a>.\n<\/p>\n
\nWhat’s more, since the string is merely a “preinitialized variable”,\na process could in principle (and many do in practice,\nalthough usually inadvertently) write to the memory that holds the\ncommand line, in which case, if you go snooping around for it,\nyou’ll see the modified command line.\nThere is no secret hiding place where the kernel keeps\nthe “real original command line,”\nany more than there is a secret hiding place where the C compiler\nkeeps the “real original parameters to a function.”\n<\/p>\n
\nThis is just another manifestation of the principle of\n\nnot keeping track of information you don’t need<\/a>.\n<\/p>\n
\nWhat does this mean for people who disregard this principle and\ngo after the command line of another process?\nYou have to understand what you are getting is non-authoritative\ninformation.\nIn fact, it’s worse.\nIt’s information the application itself may have changed\nin order to try to fool you<\/i>,\nso don’t use it to make important decisions.<\/p>\n","protected":false},"excerpt":{"rendered":"
Win32 doesn’t expose a process’s command line to other processes. From Win32’s point of view, the command line is just a conveniently initialized parameter to the process’s startup code, some data copied from the launching process to the new process and forgotten. We’ll get back to the Win32 point of view a little later. If […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-15923","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
Win32 doesn’t expose a process’s command line to other processes. From Win32’s point of view, the command line is just a conveniently initialized parameter to the process’s startup code, some data copied from the launching process to the new process and forgotten. We’ll get back to the Win32 point of view a little later. If […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/15923","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=15923"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/15923\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=15923"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=15923"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=15923"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}