#include "Windows.h" #include "stdio.h" #include "strsafe.h" #include "winternl.h" #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004 typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION { ULONG NumberOfProcessIdsInList; ULONG_PTR ProcessIdList[1]; } FILE_PROCESS_IDS_USING_FILE_INFORMATION, * PFILE_PROCESS_IDS_USING_FILE_INFORMATION; typedef NTSTATUS(NTAPI* pNtQueryInformationFile)(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass); DWORD GetPidOpeningFilePath(PWCHAR filePath); int main() { WCHAR procName1[] = L"C:\\Windows\\explorer.exe"; WCHAR procName2[] = L"C:\\Windows\\System32\\csrss.exe"; WCHAR procName3[] = L"C:\\Windows\\System32\\services.exe"; WCHAR procName4[] = L"C:\\Windows\\System32\\winlogon.exe"; WCHAR procName5[] = L"C:\\Windows\\System32\\lsass.exe"; WCHAR procName6[] = L"C:\\Windows\\System32\\spoolsv.exe"; WCHAR procName7[] = L"C:\\Windows\\System32\\taskhostw.exe"; WCHAR procName8[] = L"C:\\Windows\\System32\\dllhost.exe"; WCHAR procName9[] = L"C:\\Windows\\System32\\RuntimeBroker.exe"; WCHAR procName10[] = L"C:\\Windows\\System32\\sihost.exe"; printf("Pid for process %S = %d \n", procName1, GetPidOpeningFilePath(procName1)); printf("Pid for process %S = %d \n", procName2, GetPidOpeningFilePath(procName2)); printf("Pid for process %S = %d \n", procName3, GetPidOpeningFilePath(procName3)); printf("Pid for process %S = %d \n", procName4, GetPidOpeningFilePath(procName4)); printf("Pid for process %S = %d \n", procName5, GetPidOpeningFilePath(procName5)); printf("Pid for process %S = %d \n", procName6, GetPidOpeningFilePath(procName6)); printf("Pid for process %S = %d \n", procName7, GetPidOpeningFilePath(procName7)); printf("Pid for process %S = %d \n", procName8, GetPidOpeningFilePath(procName8)); printf("Pid for process %S = %d \n", procName9, GetPidOpeningFilePath(procName9)); printf("Pid for process %S = %d \n", procName10, GetPidOpeningFilePath(procName10)); return 0; } DWORD GetPidOpeningFilePath(PWCHAR filePath) { DWORD retPid = 0; IO_STATUS_BLOCK iosb; HANDLE hFile; PFILE_PROCESS_IDS_USING_FILE_INFORMATION pfpiufi = NULL; int FileProcessIdsUsingFileInformation = 47; ULONG pfpiufiLen = 0; PULONG_PTR processIdListPtr = NULL; NTSTATUS status = 0; pNtQueryInformationFile NtQueryInformationFile = (pNtQueryInformationFile)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQueryInformationFile"); hFile = CreateFile(filePath, FILE_READ_ATTRIBUTES, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL); if (hFile != INVALID_HANDLE_VALUE) { pfpiufiLen = 8192; pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufiLen); status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation); while (status == STATUS_INFO_LENGTH_MISMATCH) { pfpiufiLen = pfpiufiLen + 8192; pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufi, pfpiufiLen); status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation); } processIdListPtr = pfpiufi->ProcessIdList; // we return only the first pid, it's usually the right one if (pfpiufi->NumberOfProcessIdsInList >= 1) retPid = *processIdListPtr; HeapFree(GetProcessHeap(), 0, pfpiufi); CloseHandle(hFile); } return retPid; }