Process Enumeration
All users have read access to the list of processes in the system and there are a number of different functions that enumerate the active processes. The function you should use will depend on factors such as desired platform support.
The following functions are used to enumerate processes.
| Function | Description |
|---|---|
| EnumProcesses | Retrieves the process identifier for each process object in the system. |
| Process32First | Retrieves information about the first process encountered in a system snapshot. |
| Process32Next | Retrieves information about the next process recorded in a system snapshot. |
| WTSEnumerateProcesses | Retrieves information about the active processes on the specified terminal server. |
The toolhelp functions and EnumProcesses enumerate all process. To list the processes that are running in a specific user account, use WTSEnumerateProcesses and filter on the user SID. You can filter on the session ID to hide processes running in other terminal server sessions.
You can also filter processes by user account, regardless of the enumeration function, by calling OpenProcess, OpenProcessToken, and GetTokenInformation with TokenUser. However, you cannot open a process that is protected by a security descriptor unless you have been granted access.