3

I used the 'ntQuerySystemInformation' to get all the handle information like:

NtQuerySystemInformation(SystemHandleInformation, pHandleInfor, ulSize,NULL);//SystemHandleInformation = 16

struct of pHandleInfor is:

typedef struct _SYSTEM_HANDLE_INFORMATION 
{
  ULONG ProcessId;   
  UCHAR ObjectTypeNumber;
    UCHAR Flags;
    USHORT Handle;    
    PVOID Object;
    ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

It works well in xp 32bit, but in Win7 64bit can only get the right pid that less than 65535. The type of processId in this struct is ULONG, I think it can get more than 65535. What's wrong with it? Is there any other API instead?

cyongji
  • 31
  • 2
  • 1
    Your struct appears to be declared incorrectly (http://forum.sysinternals.com/howto-enumerate-handles_topic18892.html) I suggest that you provide an SSCCE and detailed explanation of the way in which your program fails to meet your expectations. A link to your documentation source would be useful too. Remember also that this is a private internal function that is documented as being subject to change in future releases of the system. Perhaps that's what has happened. – David Heffernan May 30 '14 at 09:23
  • Take also a look to this article: http://www.codeproject.com/Articles/18975/Listing-Used-Files – Adriano Repetti May 30 '14 at 09:24
  • You ask, "is there any other API"? Well, what are you trying to do. You omitted any description of the problem that you are trying to solve. – David Heffernan May 30 '14 at 09:26
  • Hard to guess how you managed to create a process with such a large PID value. The PID is limited to 16 bits for appcompat reasons. Is this a real problem? – Hans Passant May 30 '14 at 10:12

2 Answers2

3

There are two enum values for NtQuerySystemInformation to get handle info:

    CNST_SYSTEM_HANDLE_INFORMATION = 16
    CNST_SYSTEM_EXTENDED_HANDLE_INFORMATION = 64

And correspondingly two structs: SYSTEM_HANDLE_INFORMATION and SYSTEM_HANDLE_INFORMATION_EX.
The definitions for these structs are:

    struct SYSTEM_HANDLE_INFORMATION
    {
        short UniqueProcessId;
        short CreatorBackTraceIndex;
        char ObjectTypeIndex;
        char HandleAttributes; // 0x01 = PROTECT_FROM_CLOSE, 0x02 = INHERIT
        short HandleValue;
        size_t Object;
        int GrantedAccess;
    }

    struct SYSTEM_HANDLE_INFORMATION_EX
    {
        size_t Object;
        size_t UniqueProcessId;  
        size_t HandleValue;  
        int GrantedAccess;
        short CreatorBackTraceIndex;
        short ObjectTypeIndex;
        int HandleAttributes;
        int Reserved;
    }

As You can see, the first struct really can only contain 16-bit process id-s...

See for example ProcessExplorer project's source file ntexapi.h for more information.
Note also that the field widths for SYSTEM_HANDLE_INFORMATION_EX in my struct definitions might be different from theirs (that is, in my definition some field widths vary depending on the bitness), but I think I tested the code both under 32-bit and 64-bit and found it to be correct.
Please recheck if necessary and let us know if You have additional info.

Roland Pihlakas
  • 4,246
  • 2
  • 43
  • 64
0

From Raymond Chen's article Processes, commit, RAM, threads, and how high can you go?:

I later learned that the Windows NT folks do try to keep the numerical values of process ID from getting too big. Earlier this century, the kernel team experimented with letting the numbers get really huge, in order to reduce the rate at which process IDs get reused, but they had to go back to small numbers, not for any technical reasons, but because people complained that the large process IDs looked ugly in Task Manager. (One customer even asked if something was wrong with his computer.)

Michael Burr
  • 333,147
  • 50
  • 533
  • 760