Home/ Questions/Q 8082055
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T16:57:11+00:00

I’m looking at Task Manager’s list of processes, and enabled View > Select columns

  • 0

I’m looking at Task Manager’s list of processes, and enabled View > Select columns > Command line to see include exe path & command line arguments.

I tried to get the same thing working using GetModuleFileNameEx but there’s some problems; first, the result doesn’t include any arguments and it also fails for some processes, as basic as WinRar.exe or Opera.exe.

I know that Task Manager uses WMI to get some of this data (I tried shutting down the service and it failed just the way my script did, for the same processes), but I wonder, what makes a process’s path “ungettable”?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Task Manager uses the process’s PEB structure to access the command-line arguments (amongst other things). If you have a HANDLE to the target process (and sufficient rights to access its memory), you can access the PEB using the NtQueryInformationProcess() function (set its ProcessInformationClass parameter to ProcessBasicInformation to receive a PROCESS_BASIC_INFORMATION structure) to obtain the memory address of the PEB within the target process’s address space (amongst other things). You can then use ReadProcessMemory() to read the contents of the PEB into your app’s address space as needed. The command-line parameters are located by using the PEB::ProcessParameters field, which is a pointer to a RTL_USER_PROCESS_PARAMETERS structure, which contains a CommandLine field of type UNICODE_STRING.

    Things get a little trickier if you are a 32-bit process accessing the PEB of a 64-bit process, or vice versa. You have to take into account the different sizes of pointers (4 of 32-bit, 8 for 64-bit), which affects structure sizes and offsets.

    But this is the gist of it.

    • 0