question

HariPranesh-7059 avatar image
0 Votes"
HariPranesh-7059 asked XiaopoYang-MSFT commented

User Invoked Process and System Invoked Process

During our machine Run we can find some process get started by the system in Task Manager.

For example, Sometimes automatically Microsoft Edge gets started in the background and we can see in Task Manager.

So is there any Windows API to find whether a process is started by User or by system....?
I mean windows API to differentiate Foreground windows and background windows

windows-api
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please do not ask the same question more than once on Microsoft Q&A. I've redirected other two similar questions to this one. @XiaopoYang-MSFT Has already answered your newest question about how to get the owner of a process on this question. Also, please take a look at How to write a quality question to make sure that you are asking a good question.

1 Vote 1 ·
XiaopoYang-MSFT avatar image
1 Vote"
XiaopoYang-MSFT answered XiaopoYang-MSFT commented

According the document sample Finding the Owner of a File Object in C++, You can use GetSecurityInfo and and LookupAccountSid function to retrieve the process owner.
Or you can determine the SID type like the answer.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @XiaopoYang-MSFT this one worked well for me.

0 Votes 0 ·

Hi, I tried the code you referred "Finding the Owner of a File Object in C++", But I'm getting ERROR 122 for the first LookupAccountSidA in the code. I trying to get the solution for this . do you have any idea of solving this

0 Votes 0 ·

ERROR 122 is The data area passed to a system call is too small.
According to LookupAccountSid,

If the function fails because the buffer is too small or if cchReferencedDomainName is zero, cchReferencedDomainName receives the required buffer size, including the terminating null character.

0 Votes 0 ·

Oh do you mean that it will fail for the first call but it receives the required buffer sizes during that call ?

0 Votes 0 ·
Show more comments
Castorix31 avatar image
1 Vote"
Castorix31 answered Castorix31 commented

I mean windows API to differentiate Foreground windows and background windows

A Background process in Task Manager is just a process without visible window
(you can see How does Task Manager categorize processes as App, Background Process, or Windows Process?)


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the answer, It helps me a lot but I got another, can we able to find from PID that the process have a visible window ?

My task is I'm developing a small application and I need to find the Process Triggered by User and Process Triggered by System. and I only need the names of the Process that is Invoked by User(i.e The names of the process when the user clicks and open the windows app manually).

0 Votes 0 ·
Castorix31 avatar image Castorix31 HariPranesh-7059 ·

can we able to find from PID that the process have a visible window ?

With EnumWindows and GetWindowThreadProcessId in the EnumProc



1 Vote 1 ·