如何在 C++ 中可靠地检查一个 Windows 进程是否是另一个进程的父进程? [英] How can I reliably check whether one Windows process is the parent of another in C++?
问题描述
我正在开发一个函数,它可以为我获取给定 PID 的父进程的 PID.函数原型为
I'm working on a function which gets me the PID of the parent process for a given PID. The prototype of the function is
DWORD getParentPid( DWORD pid );
为此,我使用了 CreateToolhelp32Snapshot 函数(及相关函数)获取PROCESSENTRY32 结构用于我给定的 PID pid.然后我可以使用结构的 th32ParentProcessId 字段来获取创建给定进程的进程的 PID.
To do so, I'm using the CreateToolhelp32Snapshot function (and related functions) to get the PROCESSENTRY32 structure for my given PID pid. I can then use the th32ParentProcessId field of the structure to get the PID of the process which created my given process.
但是,由于父进程可能已经被销毁(并且它的 PID 可能已被 Windows 重用),我正在使用 GetProcessTimes 函数获取假定的父进程和子进程的创建时间,然后使用 CompareFileTime.
However, since the parent process might have been destroyed already (and it's PID might have been reused by Windows), I'm using the GetProcessTimes function to get the creation times of the supposed parent and the child process and then compare those using CompareFileTime.
如果CompareFileTime返回-1,我知道有父ID的进程是在我的子进程之前创建的,所以它确实是父进程.否则,它显然是一个重复使用的 ID - 并且父 PID 无效(它不再引用原始父).
If CompareFileTime returns -1, I know that the process with the parent ID was created before my child process, so it's indeed the parent. Otherwise, it's apparently a re-used ID - and the parent PID is invalid (it doesn't reference the original parent anymore).
问题在于它非常依赖于严格单调的系统时钟和 GetProcessTimes 的粒度.我确实遇到过 CompareFileTime 返回 0(这意味着时间相等")的情况,即使正在考虑的进程确实处于父子关系中.我可以更改我的支票,以便将 CompareFileTime 结果值 <= 0 视为表示父级,但随后我会打破父级的(理论)情况创建了一个子进程,然后父进程被销毁,然后 Windows 重新使用了 PID - 一切都在 100ns 之内(这是 GetProcessTimes 的分辨率).
The issue with this is that it very much relies on a strictly monotonous system clock and the granularity of GetProcessTimes. I did experience cases in which CompareFileTime returned 0 (which means "equal time") even though the process being considered were indeed in a parent-child relationship. I could change my check so that a CompareFileTime result value <= 0 would be considered to indicate a parent, but then I would break the (theoretical) case where a parent created a child process, then the parent was destroyed, and then Windows re-used the PID - all within 100ns (which is the resolution of GetProcessTimes).
我想知道 - 是否有一种不同的、更可靠的机制来验证某个进程确实是 C++ 中另一个进程的父进程?
I wonder - is there a different, more reliably, mechanism to verify that some process is indeed the parent of another process in C++?
我需要这个函数来确定所有子进程(这意味着包括孙子进程).CreateToolhelp32Snapshot 让我进行迭代在所有进程中,但我需要查看每个进程的父 PID,以确定它是否是我手头进程的子进程.
I need this function in order to determine all child processes (this means including grand-child processes). The CreateToolhelp32Snapshot lets me iterate over all processes but I need to look at the parent PID of each of them to tell whether it's a child of my process at hand.
推荐答案
这里的示例:
http://msdn.microsoft.com/en-us/library/ms686701(v=vs.85).aspx
显示使用 processId 参数调用 CreateToolhelp32Snapshot,它使用选项 TH32CS_SNAPPROCESS 表示它捕获所有进程.然后,一旦您获得了快照,就像在示例中一样,您可以按照快照中存在的流程来执行流程.父 id 在快照中应该是有效的,因为您正在查看所有进程的状态,因为它们在拍摄快照的单个时刻存在.您不必为流程开始时间比较而烦恼.
Shows calling CreateToolhelp32Snapshot with a parameter of 0 for the processId and it uses the option TH32CS_SNAPPROCESS which says it captures all processes. Then, once you've got the snapshot, as in the sample you can walk the processes as they existed in the snapshot. The parent id's should be valid within the snapshot because you're looking at the state of all the processes as they existed in the single moment when the snapshot was taken. You don't have to bother with your process start time comparison stuff.
这篇关于如何在 C++ 中可靠地检查一个 Windows 进程是否是另一个进程的父进程?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
