Examine Information on Windows NT System Level Primitives
|
Environment: Windows NT 4.0/2000 only, VC6 SP4, NT DDK is not needed :)
Overview
This article presents two separate utilities (NtSysInfo and WhoUses) to examine low level information on such Windows NT system primitives such as processes, threads, windows, modules and objects. Some of the things that I'm doing here are similar to the utilities found on the sysinternals Web site.NtSysInfo Syntax
NtSysInfo enables you to explore the Windows NT internals and enumerate the system's processes, windows, threads, objects.
Usage: NtSysInfo.exe [/H[type]|/M[dllname]|/P|/T|/W] [processId]}
/H Handle list. Can be filtered by "type"
type: File, Thread, Semaphore, Process, Event,...
/M Module list. Can be filtered by "dllname"
/P Process list (processId not used)
/T Thread list
/W Window list
processId Process ID, dec. or 0x??? (-1 = every process, default)
Examples:
NtSysInfo.exe /HFile 651
NtSysInfo.exe /H 1248
NtSysInfo.exe /Mkernel32.dll
NtSysInfo.exe /P
NtSysInfo.exe /W
NtSysInfo.exe /W 1215
WhoUses Syntax
NtSysInfo allows you to list processes, windows, threads, objects. The WhoUses utility enalbes you to determine what process has a file or DLL locked.Usage: WhoUses.exe [/M] fileName /M fileName is a module name ( EXE, DLL, ... ) fileName File name Examples: WhoUses.exe /M kernel32.dll WhoUses.exe /M c:\test\test.dll WhoUses.exe yourTextFile.txt WhoUses.exe c:\pagefile.sys WhoUses.exe Serial0
Code Examples
- Get the process list
- Get the thread list
- Get the object list
- Get the file object list
- Get the window list
- Get window list
SystemProcessInformation pi;
pi.Refresh();
// Iterate through pi.m_ProcessInfos
// processId == -1 means every process SystemThreadInformation ti( processId ); ti.Refresh(); // Iterate through ti.m_ThreadInfos
Digg
del.icio.us
Newsvine
Facebook
Google
LinkedIn
MySpace
Reddit
Slashdot
StumbleUpon
Technorati
Twitter
Windows Live
YahooBuzz
FriendFeed// processId == -1 means every process SystemHandleInformation oi( processId ); oi.Refresh(); // Iterate through oi.m_HandleInfos
// processId == -1 means every process SystemHandleInformation fi( processId ); fi.SetFilter( _T("File"), TRUE ); // Refresh // Iterate through fi.m_HandleInfos
// processId == -1 means every process SystemWindowInformation wi( processId ); wi.Refresh(); // Iterate through wi.m_WindowInfos
// processId == -1 means every process SystemModuleInformation mi( processId ); mi.Refresh(); // Iterate through mi.m_ModuleInfos
Warnings & Disclaimers
This software uses a few undocumented functions (ntdll.dll), peeks around in your systems internals. Use at your own risk! It works for me. :)Resources
- Book: Undocumented Windows NT by Prasad Dabak, Sandeep Phadke, Milind Borate
- Book: Windows NT/2000 Native API Reference by Gary Nebbett
- Web: System Internals, www.sysinternals.com
Downloads
Download source/demo code - 38 Kb
|
IT Offers
Partners
More for Developers
Top Authors
- Voted: 13 times.
- Voted: 11 times.
- Voted: 11 times.
- Voted: 10 times.
- Voted: 8 times.
- Paul Kimmel 78 articles
- Tom Archer - MSFT 75 articles
- Zafir Anjum 61 articles
- Bradley Jones 43 articles
- Marius Bancila 31 articles
