I want to find the path of every running process in windows. I tried to use the psutil module but it doesn't show me all the paths. It can't find many processes' paths because of the error: "psutil.AccessDenied"
c = wmi.WMI()
for process in c.Win32_Process():
p = psutil.Process(int(process.ProcessId))
try:
path = p.exe()
except:
path = "-"
Is there another way to get a path of a process?
As an administrator you might be able to get
PROCESS_QUERY_LIMITED_INFORMATION
(0x1000) access for a given process if you can't getPROCESS_QUERY_INFORMATION
(0x400).QueryFullProcessImageNameW
only requires limited access. However, not even this will work in all cases. For example, the security descriptor on csrss.exe only grants access to the SYSTEM account, not administrators. Another example is services.exe, which runs atSystem
(S-1-16-16384) integrity level, while an administrator token is only atHigh
(S-1-16-12288) integrity level.You normally can't open a handle to such processes. But as an administrator you have the almost omnipotent
SeDebugPrivilege
. If you enable this privilege, WindowsAccessCheck
will suddenly become your best friend (but even best friends have their limits).Below is some ctypes code to enable and disable a privilege in the current process access token. The privilege has to be present in the token to begin with, so be sure to run this using the Administrator account or as an elevated administrator if using UAC.
Test:
Output
It's understandable to be denied access to the Idle (0) and System (4) processes. However, it's interesting that access was denied to PID 4704, even to a debugger. This is audiodg.exe, which is a protected process, as described in the "Protected Processes" white paper available for download at the Windows Hardware Dev Center Archive. Protected processes allow querying limited information, such as the image path. Let's quickly verify that this is the case: