Finding the Parent Process
-
I'm using
NtQueryInformationProcess[^] to find the parent process of a specified process. I'm passing aPROCESS_BASIC_INFORMATIONstructure and using theInheritedFromUniqueProcessIdmember to get the parent. I then call this function recursively with each parent process to find the parent of the parent, and so on. The problem is that sometimes it starts returning process IDs that it has already returned in earlier calls, leading to infinite recursion. For instance, in successive calls it will return process IDs 3, then 2, then 1. Then when called for process ID 1 it will return 3 again! How can this be? I can easily work around this by checking to see if the returned parent process ID was already returned earlier in the call stack, and if it was, breaking out of the loop. But my question is, why?The difficult we do right away... ...the impossible takes slightly longer.
-
I'm using
NtQueryInformationProcess[^] to find the parent process of a specified process. I'm passing aPROCESS_BASIC_INFORMATIONstructure and using theInheritedFromUniqueProcessIdmember to get the parent. I then call this function recursively with each parent process to find the parent of the parent, and so on. The problem is that sometimes it starts returning process IDs that it has already returned in earlier calls, leading to infinite recursion. For instance, in successive calls it will return process IDs 3, then 2, then 1. Then when called for process ID 1 it will return 3 again! How can this be? I can easily work around this by checking to see if the returned parent process ID was already returned earlier in the call stack, and if it was, breaking out of the loop. But my question is, why?The difficult we do right away... ...the impossible takes slightly longer.
Dynamic versus static structures? Different types of parents / qualifying information?
"Before entering on an understanding, I have meditated for a long time, and have foreseen what might happen. It is not genius which reveals to me suddenly, secretly, what I have to say or to do in a circumstance unexpected by other people; it is reflection, it is meditation." - Napoleon I
-
Dynamic versus static structures? Different types of parents / qualifying information?
"Before entering on an understanding, I have meditated for a long time, and have foreseen what might happen. It is not genius which reveals to me suddenly, secretly, what I have to say or to do in a circumstance unexpected by other people; it is reflection, it is meditation." - Napoleon I
Can you elaborate? I didn't know there were different types of parents. And I don't know what you mean by dynamic versus static structures.
The difficult we do right away... ...the impossible takes slightly longer.
-
I'm using
NtQueryInformationProcess[^] to find the parent process of a specified process. I'm passing aPROCESS_BASIC_INFORMATIONstructure and using theInheritedFromUniqueProcessIdmember to get the parent. I then call this function recursively with each parent process to find the parent of the parent, and so on. The problem is that sometimes it starts returning process IDs that it has already returned in earlier calls, leading to infinite recursion. For instance, in successive calls it will return process IDs 3, then 2, then 1. Then when called for process ID 1 it will return 3 again! How can this be? I can easily work around this by checking to see if the returned parent process ID was already returned earlier in the call stack, and if it was, breaking out of the loop. But my question is, why?The difficult we do right away... ...the impossible takes slightly longer.
Some sort of circular dependency? You see a similar behavior if you've ever used Dependency Walker.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
-
Some sort of circular dependency? You see a similar behavior if you've ever used Dependency Walker.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
Yes I see what you're saying. The only kind of dependency that I am familiar with is the static kind used by DLLs. What kind of dependency are you discussing?
The difficult we do right away... ...the impossible takes slightly longer.
-
Can you elaborate? I didn't know there were different types of parents. And I don't know what you mean by dynamic versus static structures.
The difficult we do right away... ...the impossible takes slightly longer.
If I'm climbing a tree and the branch I'm climbing gets moved, what am I climbing? I child can have multiple parents. You need to know which parent you're dealing with. If they inherit the same base, they "look" the same but aren't.
"Before entering on an understanding, I have meditated for a long time, and have foreseen what might happen. It is not genius which reveals to me suddenly, secretly, what I have to say or to do in a circumstance unexpected by other people; it is reflection, it is meditation." - Napoleon I
-
If I'm climbing a tree and the branch I'm climbing gets moved, what am I climbing? I child can have multiple parents. You need to know which parent you're dealing with. If they inherit the same base, they "look" the same but aren't.
"Before entering on an understanding, I have meditated for a long time, and have foreseen what might happen. It is not genius which reveals to me suddenly, secretly, what I have to say or to do in a circumstance unexpected by other people; it is reflection, it is meditation." - Napoleon I
I don't see how a process can have more than one parent process. This is something I hadn't considered. If Process A calls
CreateProcessand launches Process B. Then A is the parent. I don't see how any other process can be a parent of B.The difficult we do right away... ...the impossible takes slightly longer.
-
Some sort of circular dependency? You see a similar behavior if you've ever used Dependency Walker.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
-
I'm using
NtQueryInformationProcess[^] to find the parent process of a specified process. I'm passing aPROCESS_BASIC_INFORMATIONstructure and using theInheritedFromUniqueProcessIdmember to get the parent. I then call this function recursively with each parent process to find the parent of the parent, and so on. The problem is that sometimes it starts returning process IDs that it has already returned in earlier calls, leading to infinite recursion. For instance, in successive calls it will return process IDs 3, then 2, then 1. Then when called for process ID 1 it will return 3 again! How can this be? I can easily work around this by checking to see if the returned parent process ID was already returned earlier in the call stack, and if it was, breaking out of the loop. But my question is, why?The difficult we do right away... ...the impossible takes slightly longer.
Seems like an interesting question. Googling I found nothing that answers that. From the other post I did find a comment in 'Dependency Walker' but that only stated that it occurred but not why. Maybe you could determine the cause by looking at the detailed process information and comparing them?
-
Seems like an interesting question. Googling I found nothing that answers that. From the other post I did find a comment in 'Dependency Walker' but that only stated that it occurred but not why. Maybe you could determine the cause by looking at the detailed process information and comparing them?
Thanks for your responses. I wish I had a line to Mark Russinovich. I'm sure he would know.
The difficult we do right away... ...the impossible takes slightly longer.
