Show all processes with a name and then show detail

Maxine Rogers

03 Nov 2017, 06:19

I want to be able to show windows processes that call themselves say xyz.exe (simple enough) but I also want to display the copyright info.

Right now I must do this manually by going to task manager, selecting the file, right clicking properties, then go to detail tab

I searched high and low and had no success

Kindly help me
Posts: 6902
Joined: 19 Dec 2016, 01:58
Location: UK

Re: Show all processes with a name and then show detail

03 Nov 2017, 15:11

E.g. Notepad (Windows 7) version info, obtained using Resource Hacker.

Code: Select all

	BLOCK "040904B0"
		VALUE "CompanyName", "Microsoft Corporation"
		VALUE "FileDescription", "Notepad"
		VALUE "FileVersion", "6.1.7601.18917 (win7sp1_gdr.150709-0600)"
		VALUE "InternalName", "Notepad"
		VALUE "LegalCopyright", "© Microsoft Corporation. All rights reserved."
		VALUE "OriginalFilename", "NOTEPAD.EXE"
		VALUE "ProductName", "Microsoft® Windows® Operating System"
		VALUE "ProductVersion", "6.1.7601.18917"
And so we will use '040904B0\LegalCopyright' in the script below:

Code: Select all

;Win32_Process class (Windows)
;FileVersion() - FileVersionInfo simplified - AutoHotkey Community

q:: ;get copyright information for open processes
vOutput := ""
for oProc in ComObjGet("winmgmts:").ExecQuery("Select * from Win32_Process")
	vPID := oProc.ProcessId
	WinGet, vPPath, ProcessPath, % "ahk_pid " vPID
	WinGet, vPName, ProcessName, % "ahk_pid " vPID
	if !(vPName = "") && FileExist(vPPath)
		vOutput .= vPName " " FileVersion(vPPath, "040904B0\LegalCopyright") "`r`n"
Clipboard := vOutput
MsgBox, % "done"


FileVersion( PE := "",  Qry := "040904B0\FileDescription" ) { ; by SKAN 18-Aug-2014
  Local pInfo := 0
  If Sz := DllCall( "Version\GetFileVersionInfoSizeW", "WStr",PE ? PE : PE := A_AhkPath, "Int",0 )
  If DllCall( "Version\GetFileVersionInfoW", "WStr",PE, "Int",0, "UInt",VarSetCapacity( V,Sz ), "Str",V )
  If DllCall( "Version\VerQueryValueW", "Str",V, "WStr","\StringFileInfo\" . Qry, "PtrP",pInfo, "Int",0 )
     Return StrGet( pInfo, "UTF-16" )
Maxine Rogers

Re: Show all processes with a name and then show detail

03 Nov 2017, 15:34

my goal is to check all the running svchost.exe files and make sure all are microsoft. Virus files sometimes use svchost.exe and it is not uncommong for there to be 5+ running real svchost files, hope this explains what i am seeking to get to

thanksyou for your kind contributions
Posts: 1247
Joined: 30 Sep 2013, 10:54
Location: Brazil

Re: Show all processes with a name and then show detail

03 Nov 2017, 22:25

Hello Maxine Rogers.

Welcome to the AutoHotkey community forums.

The code below reads all processes and lists them in a messagebox. The list is also copied to ClipBoard for easy pasting.

NOTE: it is important to keep in mind that reading system processes like Svchost.exe requires special privileges. Also, some process names are in Unicode, so you have to compile the code below using the Unicode64 version of AutoHotkey (or Unicode32 only if your system is 32 bits) and than run the compiled .exe as admin to get the most complete list (otherwise, you will only get a list of paths for some low privilege processes).

*All credits for the functions go to their individual authors as listed.

Code: Select all

#SingleInstance Force
SetBatchLines -1


for i, v in WTSEnumerateProcessesEx()
    FullEXEPath := GetModuleFileNameEx( v.ProsessID )
    OUT_LIST := OUT_LIST . "Name: " . v.ProcessName . "`nPath: " . FullEXEPath . "`nLegal: " .  FileGetInfo( FullEXEPath ).LegalCopyright . "`n`n"
Clipboard := OUT_LIST
msgbox % OUT_LIST

; ==============================================================
; WTSEnumerateProcessesEx() By JNIZM -

    static hWTSAPI := DllCall("LoadLibrary", "str", "wtsapi32.dll", "ptr")

    if !(DllCall("wtsapi32\WTSEnumerateProcessesEx", "ptr", 0, "uint*", 0, "uint", -2, "ptr*", buf, "uint*", TTL))
        throw Exception("WTSEnumerateProcessesEx failed", -1)
    addr := buf, WTS_PROCESS_INFO := []
    loop % TTL
        WTS_PROCESS_INFO[A_Index, "SessionID"]   := NumGet(addr+0, "uint")
        WTS_PROCESS_INFO[A_Index, "ProsessID"]   := NumGet(addr+4, "uint")
        WTS_PROCESS_INFO[A_Index, "ProcessName"] := StrGet(NumGet(addr+8, "ptr"))
        WTS_PROCESS_INFO[A_Index, "UserSID"]     := NumGet(addr+8+A_PtrSize, "ptr")
        addr += 8 + (A_PtrSize * 2)
    if !(DllCall("wtsapi32\WTSFreeMemoryEx", "int", 0, "ptr", buf, "uint", TTL))
        throw Exception("WTSFreeMemoryEx failed", -1)


; ==================================================
; FileGetInfo() By Lexikos -

FileGetInfo( lptstrFilename) {
	List := "Comments InternalName ProductName CompanyName LegalCopyright ProductVersion"
		. " FileDescription LegalTrademarks PrivateBuild FileVersion OriginalFilename SpecialBuild"
	dwLen := DllCall("Version.dll\GetFileVersionInfoSize", "Str", lptstrFilename, "Ptr", 0)
	dwLen := VarSetCapacity( lpData, dwLen + A_PtrSize)
	DllCall("Version.dll\GetFileVersionInfo", "Str", lptstrFilename, "UInt", 0, "UInt", dwLen, "Ptr", &lpData) 
	DllCall("Version.dll\VerQueryValue", "Ptr", &lpData, "Str", "\VarFileInfo\Translation", "PtrP", lplpBuffer, "PtrP", puLen )
	sLangCP := Format("{:04X}{:04X}", NumGet(lplpBuffer+0, "UShort"), NumGet(lplpBuffer+2, "UShort"))
	i := {}
	Loop, Parse, % List, %A_Space%
		DllCall("Version.dll\VerQueryValue", "Ptr", &lpData, "Str", "\StringFileInfo\" sLangCp "\" A_LoopField, "PtrP", lplpBuffer, "PtrP", puLen )
		? i[A_LoopField] := StrGet(lplpBuffer, puLen) : ""
	return i


; =================================================================================================
; GetModuleFileNameEx() By Shimanov as cited by SKAN -
; Modified to use GetModuleFileNameExW if A_IsUnicode - By Gio - 03-11-17

GetModuleFileNameEx( p_pid ) ; by shimanov -
   if A_OSVersion in WIN_95,WIN_98,WIN_ME
      MsgBox, This Windows version (%A_OSVersion%) is not supported.
   h_process := DllCall( "OpenProcess", "uint", 0x10|0x400, "int", false, "uint", p_pid )
   if ( ErrorLevel or h_process = 0 )
   name_size = 255
   VarSetCapacity( name, name_size )
   If A_IsUnicode
      result := DllCall( "psapi.dll\GetModuleFileNameExW", "uint", h_process, "uint", 0, "str" , name, "uint", name_size )
      result := DllCall( "psapi.dll\GetModuleFileNameExA", "uint", h_process, "uint", 0, "str" , name, "uint", name_size )
   DllCall( "CloseHandle", h_process )
   return, name

; =================================================================================================
; AccessRights_EnableSeDebug() By Cyruz -
; ----------------------------------------------------------------------------------------------------------------------
; Function .....: AccessRights_EnableSeDebug
; Description ..: Enable the SE_DEBUG_PRIVILEGE on the current script instance.
; AHK Version ..: AHK_L x32/64 Unicode
; Author .......: Cyruz -
; License ......: WTFPL -
; Changelog ....: Feb. 5, 2014 - v0.1 - First version.
; ----------------------------------------------------------------------------------------------------------------------
AccessRights_EnableSeDebug() {
	hProc := DllCall( "OpenProcess", UInt,0x0400, Int,0, UInt,DllCall("GetCurrentProcessId"), "Ptr" )
	DllCall( "Advapi32.dll\OpenProcessToken", Ptr,hProc, UInt,0x0020|0x0008, PtrP,hToken )

	VarSetCapacity(LUID, 8, 0)
	DllCall( "Advapi32.dll\LookupPrivilegeValue", Ptr,0, Str,"SeDebugPrivilege", Ptr,&LUID )

	VarSetCapacity( TOKPRIV, 16, 0   )					      ; TOKEN_PRIVILEGES structure:
	NumPut( 1, &TOKPRIV, 0,   "UInt" )                        ; TOKEN_PRIVILEGES > PrivilegeCount.
	NumPut( NumGet( &LUID, 0, "UInt" ), &TOKPRIV, 4, "UInt" ) ; TOKEN_PRIVILEGES > LUID_AND_ATTRIBUTES > LUID > LoPart.
	NumPut( NumGet( &LUID, 4, "UInt" ), &TOKPRIV, 8, "UInt" ) ; TOKEN_PRIVILEGES > LUID_AND_ATTRIBUTES > LUID > HiPart.
	NumPut( 2, &TOKPRIV, 12,  "UInt" )                        ; TOKEN_PRIVILEGES > LUID_AND_ATTRIBUTES > Attributes.
														      ; SE_PRIVILEGE_ENABLED = 2.

	DllCall( "Advapi32.dll\AdjustTokenPrivileges", Ptr,hToken, Int,0, Ptr,&TOKPRIV, UInt,0, Ptr,0, Ptr,0 )
    DllCall( "CloseHandle", Ptr,hToken )
    DllCall( "CloseHandle", Ptr,hProc  )

Best wishes.
Posts: 89
Joined: 13 Jan 2015, 19:48

Re: Show all processes with a name and then show detail

04 Nov 2017, 07:48

this one checks many details of your running processes called svchost.exe à la task manager such as the command lines, which can help you identify fakes

Code: Select all

#SingleInstance Ignore

;request admin rights
full_command_line := DllCall("GetCommandLine", "str")
if not (A_IsAdmin or RegExMatch(full_command_line, " /restart(?!\S)"))
		if A_IsCompiled
			RunWait *RunAs "%A_ScriptFullPath%" /restart
			RunWait *RunAs "%A_AhkPath%" /restart "%A_ScriptFullPath%"
if not A_IsAdmin
	MsgBox,Administrator rights not found, the program might not work correctly.

Gui, New, -DPIScale
Gui, Add, ListView, x0 y0 w%A_ScreenWidth% h480, CreationClassName|Caption|CommandLine|CreationDate|CSCreationClassName|CSName|Description|ExecutablePath|ExecutionState|Handle|HandleCount|InstallDate|KernelModeTime|MaximumWorkingSetSize|MinimumWorkingSetSize|Name|OSCreationClassName|OSName|OtherOperationCount|OtherTransferCount|PageFaults|PageFileUsage|ParentProcessId|PeakPageFileUsage|PeakVirtualSize|PeakWorkingSetSize|Priority|PrivatePageCount|ProcessId|QuotaNonPagedPoolUsage|QuotaPagedPoolUsage|QuotaPeakNonPagedPoolUsage|QuotaPeakPagedPoolUsage|ReadOperationCount|ReadTransferCount|SessionId|Status|TerminationDate|ThreadCount|UserModeTime|VirtualSize|WindowsVersion|WorkingSetSize|WriteOperationCount|WriteTransferCount
for process in ComObjGet("winmgmts:").ExecQuery("Select * from Win32_Process where Name='svchost.exe'")
    LV_Add("", process.CreationClassName, process.Caption, process.CommandLine, process.CreationDate, process.CSCreationClassName, process.CSName, process.Description, process.ExecutablePath, process.ExecutionState, process.Handle, process.HandleCount, process.InstallDate, process.KernelModeTime, process.MaximumWorkingSetSize, process.MinimumWorkingSetSize, process.Name, process.OSCreationClassName, process.OSName, process.OtherOperationCount, process.OtherTransferCount, process.PageFaults, process.PageFileUsage, process.ParentProcessId, process.PeakPageFileUsage, process.PeakVirtualSize, process.PeakWorkingSetSize, process.Priority, process.PrivatePageCount, process.ProcessId, process.QuotaNonPagedPoolUsage, process.QuotaPagedPoolUsage, process.QuotaPeakNonPagedPoolUsage, process.QuotaPeakPagedPoolUsage, process.ReadOperationCount, process.ReadTransferCount, process.SessionId, process.Status, process.TerminationDate, process.ThreadCount, process.UserModeTime, process.VirtualSize, process.WindowsVersion, process.WorkingSetSize, process.WriteOperationCount, process.WriteTransferCount)
Gui, Show,, Process List

Maxine Rogers

Re: Show all processes with a name and then show detail

04 Nov 2017, 08:05

hi, thank you, is there a way to see the copyright info? is you go to task manager, select svchost.exe, right click, select properties, then select the details tab you will see copyright info, there someone can see if its microsoft, all real svchosts should have that and fake ones cannot.

I tried playing with your code but I could not get it to pull that data.

Thank you
Posts: 1247
Joined: 30 Sep 2013, 10:54
Location: Brazil

Re: Show all processes with a name and then show detail

04 Nov 2017, 10:27

is there a way to see the copyright info?
I tried playing with your code but I could not get it to pull that data.
Sure. This is how you would add it to WAZAAAAAs code (check it as a new column to the end of the listview):

Code: Select all

#SingleInstance Ignore

;request admin rights
full_command_line := DllCall("GetCommandLine", "str")
if not (A_IsAdmin or RegExMatch(full_command_line, " /restart(?!\S)"))
		if A_IsCompiled
			RunWait *RunAs "%A_ScriptFullPath%" /restart
			RunWait *RunAs "%A_AhkPath%" /restart "%A_ScriptFullPath%"
if not A_IsAdmin
	MsgBox,Administrator rights not found, the program might not work correctly.

Gui, New, -DPIScale
Gui, Add, ListView, x0 y0 w%A_ScreenWidth% h480, CreationClassName|Caption|CommandLine|CreationDate|CSCreationClassName|CSName|Description|ExecutablePath|ExecutionState|Handle|HandleCount|InstallDate|KernelModeTime|MaximumWorkingSetSize|MinimumWorkingSetSize|Name|OSCreationClassName|OSName|OtherOperationCount|OtherTransferCount|PageFaults|PageFileUsage|ParentProcessId|PeakPageFileUsage|PeakVirtualSize|PeakWorkingSetSize|Priority|PrivatePageCount|ProcessId|QuotaNonPagedPoolUsage|QuotaPagedPoolUsage|QuotaPeakNonPagedPoolUsage|QuotaPeakPagedPoolUsage|ReadOperationCount|ReadTransferCount|SessionId|Status|TerminationDate|ThreadCount|UserModeTime|VirtualSize|WindowsVersion|WorkingSetSize|WriteOperationCount|WriteTransferCount|Legal Info
for process in ComObjGet("winmgmts:").ExecQuery("Select * from Win32_Process where Name='svchost.exe'")
    LV_Add("", process.CreationClassName, process.Caption, process.CommandLine, process.CreationDate, process.CSCreationClassName, process.CSName, process.Description, process.ExecutablePath, process.ExecutionState, process.Handle, process.HandleCount, process.InstallDate, process.KernelModeTime, process.MaximumWorkingSetSize, process.MinimumWorkingSetSize, process.Name, process.OSCreationClassName, process.OSName, process.OtherOperationCount, process.OtherTransferCount, process.PageFaults, process.PageFileUsage, process.ParentProcessId, process.PeakPageFileUsage, process.PeakVirtualSize, process.PeakWorkingSetSize, process.Priority, process.PrivatePageCount, process.ProcessId, process.QuotaNonPagedPoolUsage, process.QuotaPagedPoolUsage, process.QuotaPeakNonPagedPoolUsage, process.QuotaPeakPagedPoolUsage, process.ReadOperationCount, process.ReadTransferCount, process.SessionId, process.Status, process.TerminationDate, process.ThreadCount, process.UserModeTime, process.VirtualSize, process.WindowsVersion, process.WorkingSetSize, process.WriteOperationCount, process.WriteTransferCount, FileGetInfo(process.ExecutablePath).LegalCopyright )
Gui, Show,, Process List


; ==================================================
; FileGetInfo() By Lexikos -

FileGetInfo( lptstrFilename) {
	List := "Comments InternalName ProductName CompanyName LegalCopyright ProductVersion"
		. " FileDescription LegalTrademarks PrivateBuild FileVersion OriginalFilename SpecialBuild"
	dwLen := DllCall("Version.dll\GetFileVersionInfoSize", "Str", lptstrFilename, "Ptr", 0)
	dwLen := VarSetCapacity( lpData, dwLen + A_PtrSize)
	DllCall("Version.dll\GetFileVersionInfo", "Str", lptstrFilename, "UInt", 0, "UInt", dwLen, "Ptr", &lpData) 
	DllCall("Version.dll\VerQueryValue", "Ptr", &lpData, "Str", "\VarFileInfo\Translation", "PtrP", lplpBuffer, "PtrP", puLen )
	sLangCP := Format("{:04X}{:04X}", NumGet(lplpBuffer+0, "UShort"), NumGet(lplpBuffer+2, "UShort"))
	i := {}
	Loop, Parse, % List, %A_Space%
		DllCall("Version.dll\VerQueryValue", "Ptr", &lpData, "Str", "\StringFileInfo\" sLangCp "\" A_LoopField, "PtrP", lplpBuffer, "PtrP", puLen )
		? i[A_LoopField] := StrGet(lplpBuffer, puLen) : ""
	return i

Maxine Rogers

Re: Show all processes with a name and then show detail

04 Nov 2017, 16:25

exactly what I needed,, found 18 different svchosts and all are microsoft, will keep on checking on my machines, thank you
