Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I reliably check whether one Windows process is the parent of another in C++?

Tags:

c++

windows

winapi

I'm working on a function which gets me the PID of the parent process for a given PID. The prototype of the function is

DWORD getParentPid( DWORD pid );

To do so, I'm using the CreateToolhelp32Snapshot function (and related functions) to get the PROCESSENTRY32 structure for my given PID pid. I can then use the th32ParentProcessId field of the structure to get the PID of the process which created my given process.

However, since the parent process might have been destroyed already (and it's PID might have been reused by Windows), I'm using the GetProcessTimes function to get the creation times of the supposed parent and the child process and then compare those using CompareFileTime.

If CompareFileTime returns -1, I know that the process with the parent ID was created before my child process, so it's indeed the parent. Otherwise, it's apparently a re-used ID - and the parent PID is invalid (it doesn't reference the original parent anymore).

The issue with this is that it very much relies on a strictly monotonous system clock and the granularity of GetProcessTimes. I did experience cases in which CompareFileTime returned 0 (which means "equal time") even though the process being considered were indeed in a parent-child relationship. I could change my check so that a CompareFileTime result value <= 0 would be considered to indicate a parent, but then I would break the (theoretical) case where a parent created a child process, then the parent was destroyed, and then Windows re-used the PID - all within 100ns (which is the resolution of GetProcessTimes).

I wonder - is there a different, more reliably, mechanism to verify that some process is indeed the parent of another process in C++?

Edit: I need this function in order to determine all child processes (this means including grand-child processes). The CreateToolhelp32Snapshot lets me iterate over all processes but I need to look at the parent PID of each of them to tell whether it's a child of my process at hand.

like image 895
Frerich Raabe Avatar asked Jul 06 '11 07:07

Frerich Raabe

1 Answers

If the process(es) have been created whilst your app is running, you could just iterate over it repeatedly over time and catch PID re-use.

like image 181
Puppy Avatar answered Oct 19 '22 23:10

Puppy
Sign in to Comment

Related questions

RELAX NG C++ Code Generator? [closed]
Visual Studio "go to header file" not working with hpp files
gcc c++ command line error-message parser
Boost.Python on Mac OS X: "TypeError: Attribute name must be string"
Problems regarding Boost::Python and Boost::Threads
C# - Capturing Windows Messages from a specific application
error RC2175 : resource file res\icon3.bmp is not in 3.00 format?
Make C++ call the right template method in an un-ugly way
How do C++ operators work
Xcode C++ debugging
Boilerplate typedefs for STL-compatible container
Windows Application Profilers - C++ Exe
Cross platform and language plugin system
Using DirectShow to capture frames and OpenCV to Process
How to translate gendered pronouns in Qt's QTranslator
undefined reference to `boost::log_mt_posix::basic_attribute_set<char>::~basic_attribute_set()'
Expanding parameter pack containing initializer_list to constructor
Boost Python and vectors of shared_ptr
VC++ error when using a pointer to a template function
Qt intercept Application::exec in the application class?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!