Examine Information on Windows NT System Level Primitives

Environment: Windows NT 4.0/2000 only, VC6 SP4, NT DDK is not needed :)

Overview

This article presents two separate utilities (NtSysInfo and WhoUses) to examine low level information on such Windows NT system primitives such as processes, threads, windows, modules and objects. Some of the things that I'm doing here are similar to the utilities found on the sysinternals Web site.

NtSysInfo Syntax

NtSysInfo enables you to explore the Windows NT internals and enumerate the system's processes, windows, threads, objects.
Usage: NtSysInfo.exe [/H[type]|/M[dllname]|/P|/T|/W] [processId]}
 /H          Handle list. Can be filtered by "type"
             type: File, Thread, Semaphore, Process, Event,...
 /M          Module list. Can be filtered by "dllname"
 /P          Process list (processId not used)
 /T          Thread list
 /W          Window list
 processId   Process ID, dec. or 0x??? (-1 = every process, default)

Examples:
  NtSysInfo.exe /HFile 651
  NtSysInfo.exe /H 1248
  NtSysInfo.exe /Mkernel32.dll
  NtSysInfo.exe /P
  NtSysInfo.exe /W
  NtSysInfo.exe /W 1215

WhoUses Syntax

NtSysInfo allows you to list processes, windows, threads, objects. The WhoUses utility enalbes you to determine what process has a file or DLL locked.
Usage: WhoUses.exe [/M] fileName
  /M         fileName is a module name ( EXE, DLL, ... )
  fileName   File name

Examples:
  WhoUses.exe /M kernel32.dll
  WhoUses.exe /M c:\test\test.dll
  WhoUses.exe yourTextFile.txt
  WhoUses.exe c:\pagefile.sys
  WhoUses.exe Serial0

Code Examples

  1. Get the process list
  2. SystemProcessInformation pi;
    pi.Refresh();
    // Iterate through pi.m_ProcessInfos
    
  3. Get the thread list
  4. // processId == -1 means every process
    SystemThreadInformation ti( processId ); 
    ti.Refresh();
    // Iterate through ti.m_ThreadInfos
    
  5. Get the object list
  6. // processId == -1 means every process
    SystemHandleInformation oi( processId ); 
    oi.Refresh();
    // Iterate through oi.m_HandleInfos
    
  7. Get the file object list
  8. // processId == -1 means every process
    SystemHandleInformation fi( processId ); 
    fi.SetFilter( _T("File"), TRUE ); // Refresh
    // Iterate through fi.m_HandleInfos
    
  9. Get the window list
  10. // processId == -1 means every process
    SystemWindowInformation wi( processId ); 
    wi.Refresh();
    // Iterate through wi.m_WindowInfos
    
  11. Get window list
  12. // processId == -1 means every process
    SystemModuleInformation mi( processId ); 
    mi.Refresh();
    // Iterate through mi.m_ModuleInfos
    

Warnings & Disclaimers

This software uses a few undocumented functions (ntdll.dll), peeks around in your systems internals. Use at your own risk! It works for me. :)

Resources

  • Book: Undocumented Windows NT by Prasad Dabak, Sandeep Phadke, Milind Borate
  • Book: Windows NT/2000 Native API Reference by Gary Nebbett
  • Web: System Internals, www.sysinternals.com

Downloads

Download source/demo code - 38 Kb


Comments

  • Thanks

    Posted by Praveen on 08/15/2012 02:40am

    Hi, Excellent stuff!! thanks a lot Regards, Praveen

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Live Event Date: September 23, 2015 @ 1:00 p.m. ET / 10:00 a.m. PT The cloud is not just about a runtime platform for your projects – now, you can do your development in the cloud, too. Check out this upcoming eseminar to learn how the cloud improves your development experience and team collaboration. Join Dana Singleterry, Principal Product Manager for Oracle Dev Tools, as he discusses how to simplify every aspect of the development lifecycle, including requirements gathering, version management, code …

  • Lenovo recommends Windows 8 Pro. "I dropped my laptop getting out of the taxi." This probably sounds familiar to most IT professionals. If your employees are traveling, you know their devices are in for a rough go. Whether it's a trip to the conference room or a convention out of town, any time equipment leaves a user's desk it is at risk of being put into harm's way. Stay connected at all times, whether at the office or on the go, with agile, durable, and flexible devices like the Lenovo® …

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date