Determin if a process has been opened by user or other process with C#?

Question

0.00/5 (No votes)

See more:

I have a service running on some computers, that are reporting to a server. The service takes an audit of all running processes, then checks if any are blacklisted or not. If a process is blacklisted, the service collects name, username, machine-name, start-time and running-time, then sends it to the server. This works fine.

What I would also like, is to see if a process is opebed by another application and not the user. E.G. Cinema4D, (a 3D modeling application), starts it's renderer. Which is not the same as if the user opens the executable directly.

The usage is to monitor students during exams, so that we can see if they use "forbidden" software. It's for statistical usage, as the candidates use random usernames, but if we get a lot of false positives, we can't use it as documentation for cheating.

Any help is appreciated!

What I have tried:

I've googled it but I'm not getting any relevant answers

Posted 23-Nov-16 2:19am

Frank R. Haugen

Updated 23-Nov-16 2:40am

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Jochen Arndt · Accepted Answer · 2016-11-23T02:40:00

Solution 1

If you already have the process information you should be able to get the PID of the parent process (e.g. using WMI) and use that to get the usual process information.

I'm not absolutely sure but processes started by the user should have explorer.exe as parent (the Explorer instance for the Desktop).

[EDIT]
Thinking about it there might be also other parents:

Another Explorer instance when started from within there.
A cmd.exe instance when started from a shell prompt.

But it should be possible to handle these by following the parent process chain. For a process started by a user it should be finally the Explorer instance of the Desktop.

However, at least every "normal" process is started this way. So it might be necessary to use some kind of white and/or black lists.
[/EDIT]

Posted 23-Nov-16 2:40am

Jochen Arndt

Updated 23-Nov-16 2:50am

v3

Comments

Frank R. Haugen 23-Nov-16 8:44am

That sounds logical, I'll test it

Kornfeld Eliyahu Peter 23-Nov-16 9:06am

Take care of these:
1. A process list may contain process already exited, and ask for parent process for them will give exception
2. You can be fooled by chaining... For instance if you have a toolbar application, like RocketDock, the parent process of applications started form the toolbar will not be the explorer.exe but the RocketDock executable... The parent of it will be explorer...
3. Also for applications started at system start (start menu or registry) the parent will be explorer.exe (actually everything under the context of the logged in user will be parented by explorer.exe)

Jochen Arndt 23-Nov-16 9:19am

Points 2 and 3 has been handled meanwhile in my updated answer.

But point 1 may be even more serious because PIDs are re-used so that information for the wrong process might be retrieved (while catching execptions should be no problem).