Finding the command line options a process was launched with

Question

I'm trying to find out how to do this, I'm currently using CreateToolHelp32SnapShot to get a list of the running processes and I've got the FilePaths of the executables which are currently running, but I need to be able to find out what command line options were used to start the process.

I know its possible since you can see it on Process Explorer, I tried finding the source code of the old Process Explorer but had no luck :(

Answer 1

check if NtQueryInformationProcess and ReadProcessMemory win API calls will do what you need. There is no simple example for that so check the source code here: Get Process Info with NtQueryInformationProcess

another way for getting this data is throgh WMI, smth like this:

SELECT CommandLine FROM Win32_Process WHERE ProcessId = ???

more info here: Win32_Process Class

Answer 2

Getting the command line of running processes cannot be done in a reliable fashion. It is very possible for the command line of a running process to be changed by changing the memory which stores those commands.

Raymond Chen did a nice article on this subject recently detailing why it's not reliable.

• http://blogs.msdn.com/oldnewthing/archive/2009/11/25/9928372.aspx

Answer 3

One possibility that occurs almost immediately would be to inject a thread into the target process (CreateRemoteThread), and have that call GetCommandLine.

Answer 4

IIRC the command line parameters are stored in the process environment - if you can access it you can read them too.