3

start menu's item can be executed single-click, explorer's item can be executed double-click or right-click and (O)pen.

like this, Windows UI is many execution method. I want to know execution through UI(like item double-click).

How to know that?

I try to use UI Automation. but focus change is Too late and sometimes executed without focus change. so I want certain method.

The assumption. UI to kernel execution message. Can I get it?

And other method is exist?

Ho Now Nahc
  • 81
  • 8
  • Are you saying you want to know whether your exe was started by double click, single click, command line... ? – John3136 Jun 28 '16 at 05:09
  • @John3136 hm... not command line. that is not UI. I want to know UI exe was started! command line is "don't care condition"! – Ho Now Nahc Jun 28 '16 at 05:48
  • Actually, command line *is* UI, it's just not *G*UI. – Matteo Italia Jun 28 '16 at 05:53
  • @MatteoItalia oh.. Thanks. I don't know that till now. Anyway, It need not necessarily included in my question. :) – Ho Now Nahc Jun 28 '16 at 05:58
  • It's just different in different contexts. A user can make fair guess but I doubt there is any way to look at local context and say definitely how that thing will react to mouse clicks. Note that with the auto-scrolling of Windows Explorer, since Windows 7, double-click doesn't always open an item even where that's the intention, because the moronicity scrolls away between the first and second clicks. – Cheers and hth. - Alf Jun 28 '16 at 08:50
  • @Cheersandhth.-Alf so i want new certain detect method. double-click != started exe. then what is grounds that exe is started. – Ho Now Nahc Jun 29 '16 at 00:57
  • I don't understand the question, sorry. I think that means there is some assumption that we don't share. It might be easier to get useful help if you describe what you want this information *for*, what your goal is. – Cheers and hth. - Alf Jun 29 '16 at 02:06
  • @Cheersandhth.-Alf I want to know executed file path through GUI at process create time. But don't use kernel's process create. because that is uses another routine and it contains service, process created by another process(not explorer). So I try to use ui-automation. but it is some problem in question. My assumption is windows GUI program transfer execution info to kernel. and then process create. But I don't know how to get it. it is easier then question?? My english skill is so low i'm sorry.. – Ho Now Nahc Jun 29 '16 at 02:29
  • A new process can find the full path to its executable file via [`GetModuleFileName`](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683197(v=vs.85).aspx) (call it with `0` as first argument). It can find the current directory via `GetCurrentDirectory`. – Cheers and hth. - Alf Jun 29 '16 at 03:24
  • @Cheersandhth.-Alf GetModuleFileName() first param set 0 is process get path itself. not another process. GetCurrentDirectory() also. More that API's are run already process started... That's not.. – Ho Now Nahc Jun 29 '16 at 04:34
  • Well, if understand you correctly now, you want the full path to the executable of some other process. One way to find it is to use WMI (Windows Management Instrumentation), but WMI starts an extra service process, and I think that's probably what you're referring to above. There are two API functions that deal with this: GetProcessImageFileName and QueryFullProcessImageName. I do not know what the main difference (if any) is. Alternatively you can check the information in a snapshot created with CreateToolhelp32Snapshot. – Cheers and hth. - Alf Jun 29 '16 at 06:01
  • @Cheersandhth.-Alf hm..some different. My question is "before process creation time like hooking". so I referr to Method of Executing file through GUI (mouse click, keyboard enter or hotkey.... etc). I want to get Info(path) between mouse click with process creation. Sorry to be not well understood. – Ho Now Nahc Jun 29 '16 at 07:04
  • Oh. The only way I can think of is to hook CreateProcess globally, because process creation events are as far as I know only available after the processes launch. I'm not sure if global API hooking a viable option with Windows Vista and later, but you can check or try. Microsoft Detours was of old a nice framework for hooking API functions, but a bit low level and advanced. You'd need to combine it with DLL injection, which also is an advanced topic. And you'd probably need to convince any anti-virus program that this wasn't malware. – Cheers and hth. - Alf Jun 29 '16 at 08:49
  • @Cheersandhth.-Alf ok.. Hooking CreateProcess is no method to distinguish program started at GUI or not.. – Ho Now Nahc Jun 29 '16 at 09:02

0 Answers0