0

Is there a way in Windows OS to detect whether you program has been started from .bat or .lnk file and obtain the full path to it?

I know I can get the parent process, but how to detect... for the lack of a better term let's name it 'way'... the way a program has been started?

UPDATE

Some malware modifies .lnk file (adding an ad to its params) pointing to my app. Also it starts my app from .bat. I want to check hash of the .lnk file and just quit if it's been started from .bat.

Regards,

noober
  • 4,819
  • 12
  • 49
  • 85
  • Your question is unclear. Are you wanting to do this from your code, or just in general from the OS? If it's the former, then [edit] to include that and add a tag for the programming language you're using, so you can get answers. If it's the latter, try [su], because it's a general OS use question rather than a programming question. – Ken White May 15 '15 at 15:59
  • @Ken PROGRAMMING LANGUAGE???? Are you serious? It could be C++ or C# or Delphi, whatever... If the problem can be solved at all (I'm strongly doubting it) it's obvious you should do it via WinAPI, I guess, Shell API. And this is not superuser.com, it's a site for software developers, of course, I want to do it programmatically. And yes, I think it's a bad idea to mark all questions with 'programmatically' tag. – noober May 15 '15 at 17:18
  • Please don't SHOUT at people here. I asked because it matters, both for submission of code and for clarifying that the question is programming related (and therefore on-topic here). It also matters because I have code that will do exactly that for being started from a link file, and I wanted to make sure it would do some good for me to post it for you. After the attitude, though, I'm not sure I'm wanting to help you; I really don't like being attacked for asking for a simple clarification. Good luck, though. I'll make sure I note you don't want my help in the future as well. – Ken White May 15 '15 at 17:23
  • And FYI, we get thousands of non-programming questions every day on Stack Overflow, which is why we have a close reason for off-topic, so it is absolutely relevant to ensure that you're asking a programming question. A bit of advice: stop being so rude to people you're asking to donate their time for **free** to solve **your problem**. This is a technical site, so nothing here is **obvious**, and we expect **specific** questions. – Ken White May 15 '15 at 17:25
  • @Ken It's up to you. I still think that a programming language should be specified only when it matters. For API-related questions it's redundant information and IT makes question unclear. – noober May 15 '15 at 17:33
  • I'm marking the whole discussion as non-constructive, as it's not related to the question. – noober May 15 '15 at 17:35
  • @Ken I didn't mention using an API because just a technique ('Check your parent process properties...' or something like this) is a good answer as well. In fact, I'd prefer this kind of answer instead of a code fragment. Also, maybe it was an overreaction on my side, because just a year ago no one asked me to specify non-existent details and I was kind of surprised. Anyway, it's not very constructive to write 'I have a solution but will keep it because I don't like your comments'. It's up to you, to share it or not, but not posting such comments. – noober May 15 '15 at 19:47
  • *Maybe it was an overreaction*??. It's not very constructive to verbally assault someone for asking you to clarify your vague question in order to find out what you're actually asking, which you still haven't done. I'm well within my rights not to spend my time trying to help someone who screamed at me and was very rude in response to a polite request. It is, after all, my time. I'll consider posting an answer when you a) clarify your question as I asked, and b) delete your extremely rude response to my comment. If it's insulting to be asked for details, be specific in the first place. – Ken White May 15 '15 at 21:41
  • Relax, dude. Love and peace. – noober May 15 '15 at 22:00
  • I'm totally relaxed. I'm not the one who flew off the handle for absolutely no reason and screamed at you, remember? Let me know if and when you've done what I've asked (more than once), and I'll consider removing my close vote (and possibly even post an answer, if doing so would be appropriate once the question becomes clear). Until then, please don't waste any more of my time. There are other people that actually want help, and are willing to be polite and cooperative to get it. – Ken White May 15 '15 at 22:04

1 Answers1

1

How does the program get started? Is it a SERVICE or does it run on startup? If you killed the program, can you re-start it predictably?

I would use Processs Monitor to triangulate on what launched the app.

Process Monitor logs EVERYTHING the machine is doing. You can filter out all the noise to just .lnk, .bat, and/or your specific program.

  1. Kill the program
  2. Start Process Monitor (with filters applied)
  3. Start the program
  4. Stop Process Monitor
  5. Search Process Monitor log by your program name
  6. Scroll back to see what processes lead up to the program running

Hope it helps.

-Allen

Allen May
  • 323
  • 3
  • 10
  • It couldn't be a service. Services are being started in a different way. Maybe I'm wrong, but I don't know any methods to start a service from a user session using .lnk. – noober May 15 '15 at 17:22
  • I had started Process Monitor and set the filter to include an exe name in 'Process Name' column. Then I started the exe directly (using Windows Explorer), and via .lnk file. As far as I see, there is no difference in the log. For instance, I checked details for the 'Process Start' operation, value by value, they are all the same. Maybe, I haven't got the idea. – noober May 15 '15 at 19:54
  • You might be over-filtering. You could try NOT filtering and look for the "needle in the haystack". Process Monitor will show you every little thing your PC is doing, hundreds of transactions per second could be logged. With Process Monitor you can right-mouse-click on the process and tell it to ignore that process. So for example, if you have an antivirus software, you can filter that out of the log. – Allen May May 15 '15 at 20:49
  • OK, now will look for a way how to compare PM logs automatically. BTW, I guess it's not a needle in the haystack, it's more like searching a black cat in a dark room, with no cat at all ) Thanks anyway. – noober May 15 '15 at 21:55