我一直在寻找在 .NET 中获取父进程的方法,但只找到了 P/Invoke 方式。
abatishchev
问问题
82623 次
7 回答
159
这是一个解决方案。它使用 p/invoke,但似乎运行良好,32 或 64 cpu:
/// <summary>
/// A utility class to determine a process parent.
/// </summary>
[StructLayout(LayoutKind.Sequential)]
public struct ParentProcessUtilities
{
// These members must match PROCESS_BASIC_INFORMATION
internal IntPtr Reserved1;
internal IntPtr PebBaseAddress;
internal IntPtr Reserved2_0;
internal IntPtr Reserved2_1;
internal IntPtr UniqueProcessId;
internal IntPtr InheritedFromUniqueProcessId;
[DllImport("ntdll.dll")]
private static extern int NtQueryInformationProcess(IntPtr processHandle, int processInformationClass, ref ParentProcessUtilities processInformation, int processInformationLength, out int returnLength);
/// <summary>
/// Gets the parent process of the current process.
/// </summary>
/// <returns>An instance of the Process class.</returns>
public static Process GetParentProcess()
{
return GetParentProcess(Process.GetCurrentProcess().Handle);
}
/// <summary>
/// Gets the parent process of specified process.
/// </summary>
/// <param name="id">The process id.</param>
/// <returns>An instance of the Process class.</returns>
public static Process GetParentProcess(int id)
{
Process process = Process.GetProcessById(id);
return GetParentProcess(process.Handle);
}
/// <summary>
/// Gets the parent process of a specified process.
/// </summary>
/// <param name="handle">The process handle.</param>
/// <returns>An instance of the Process class.</returns>
public static Process GetParentProcess(IntPtr handle)
{
ParentProcessUtilities pbi = new ParentProcessUtilities();
int returnLength;
int status = NtQueryInformationProcess(handle, 0, ref pbi, Marshal.SizeOf(pbi), out returnLength);
if (status != 0)
throw new Win32Exception(status);
try
{
return Process.GetProcessById(pbi.InheritedFromUniqueProcessId.ToInt32());
}
catch (ArgumentException)
{
// not found
return null;
}
}
}
于 2010-07-27T17:09:02.407 回答
64
这段代码为查找父进程对象提供了一个很好的接口,并考虑了多个进程同名的可能性:
用法:
Console.WriteLine("ParentPid: " + Process.GetProcessById(6972).Parent().Id);
代码:
public static class ProcessExtensions {
private static string FindIndexedProcessName(int pid) {
var processName = Process.GetProcessById(pid).ProcessName;
var processesByName = Process.GetProcessesByName(processName);
string processIndexdName = null;
for (var index = 0; index < processesByName.Length; index++) {
processIndexdName = index == 0 ? processName : processName + "#" + index;
var processId = new PerformanceCounter("Process", "ID Process", processIndexdName);
if ((int) processId.NextValue() == pid) {
return processIndexdName;
}
}
return processIndexdName;
}
private static Process FindPidFromIndexedProcessName(string indexedProcessName) {
var parentId = new PerformanceCounter("Process", "Creating Process ID", indexedProcessName);
return Process.GetProcessById((int) parentId.NextValue());
}
public static Process Parent(this Process process) {
return FindPidFromIndexedProcessName(FindIndexedProcessName(process.Id));
}
}
于 2010-02-25T17:53:29.540 回答
11
这边走:
public static Process GetParent(this Process process)
{
try
{
using (var query = new ManagementObjectSearcher(
"SELECT * " +
"FROM Win32_Process " +
"WHERE ProcessId=" + process.Id))
{
return query
.Get()
.OfType<ManagementObject>()
.Select(p => Process.GetProcessById((int)(uint)p["ParentProcessId"]))
.FirstOrDefault();
}
}
catch
{
return null;
}
}
于 2017-09-21T14:12:11.283 回答
5
这是我对托管解决方案的尝试。
它轮询所有进程的性能计数器,并将子 PID 的字典返回给父 PID。然后你可以用你当前的 PID 查字典,看看你的父母、祖父母等。
当然,它获得多少信息是矫枉过正的。随意优化。
using System;
using System.Collections.Generic;
using System.Diagnostics;
namespace PidExamples
{
class ParentPid
{
static void Main(string[] args)
{
var childPidToParentPid = GetAllProcessParentPids();
int currentProcessId = Process.GetCurrentProcess().Id;
Console.WriteLine("Current Process ID: " + currentProcessId);
Console.WriteLine("Parent Process ID: " + childPidToParentPid[currentProcessId]);
}
public static Dictionary<int, int> GetAllProcessParentPids()
{
var childPidToParentPid = new Dictionary<int, int>();
var processCounters = new SortedDictionary<string, PerformanceCounter[]>();
var category = new PerformanceCounterCategory("Process");
// As the base system always has more than one process running,
// don't special case a single instance return.
var instanceNames = category.GetInstanceNames();
foreach(string t in instanceNames)
{
try
{
processCounters[t] = category.GetCounters(t);
}
catch (InvalidOperationException)
{
// Transient processes may no longer exist between
// GetInstanceNames and when the counters are queried.
}
}
foreach (var kvp in processCounters)
{
int childPid = -1;
int parentPid = -1;
foreach (var counter in kvp.Value)
{
if ("ID Process".CompareTo(counter.CounterName) == 0)
{
childPid = (int)(counter.NextValue());
}
else if ("Creating Process ID".CompareTo(counter.CounterName) == 0)
{
parentPid = (int)(counter.NextValue());
}
}
if (childPid != -1 && parentPid != -1)
{
childPidToParentPid[childPid] = parentPid;
}
}
return childPidToParentPid;
}
}
}
在其他新闻中,我了解到我的机器上有多少性能计数器:13401。圣牛。
于 2011-08-18T22:57:37.027 回答
3
如果接受 P/Invoke,有一个更好的方法,它比 NtQueryInformationProcess 记录更多:即 PROCESSENTRY32 (CreateToolhelp32Snapshot, Process32First, Process32Next)。它显示在这篇文章中。
注意细微的细节 ,注意父 PID 不一定是创建者 PID,实际上这些可能完全不相关,正如 PROCESSENTRY32的社区评论所指出的那样。
于 2014-10-01T09:46:38.100 回答
2
如果你曾经挖掘过 BCL,你会发现寻找父进程的方法被刻意避免了,例如:
正如您在源代码中看到的,它包含全面的结构和导入的本地方法,这绝对足以完成工作。但是,即使您通过反射访问它们(这是可能的),您也找不到直接执行此操作的方法。我无法回答为什么,但是这种现象会导致像您这样的问题被反复询问;例如:
因为在这个线程中没有答案以及使用CreateToolhelp32Snapshot的一些代码,我会添加它——我从 MS 的参考源中窃取的结构定义和名称的一部分:)
代码
using System.Diagnostics; using System.Runtime.InteropServices; using System.Collections.Generic; using System.Linq; using System;
public static class Toolhelp32 { public const uint Inherit = 0x80000000; public const uint SnapModule32 = 0x00000010; public const uint SnapAll = SnapHeapList|SnapModule|SnapProcess|SnapThread; public const uint SnapHeapList = 0x00000001; public const uint SnapProcess = 0x00000002; public const uint SnapThread = 0x00000004; public const uint SnapModule = 0x00000008; [DllImport("kernel32.dll")] static extern bool CloseHandle(IntPtr handle); [DllImport("kernel32.dll")] static extern IntPtr CreateToolhelp32Snapshot(uint flags, int processId); public static IEnumerable<T> TakeSnapshot<T>(uint flags, int id) where T : IEntry, new() { using(var snap = new Snapshot(flags, id)) for(IEntry entry = new T { }; entry.TryMoveNext(snap, out entry);) yield return (T)entry; } public interface IEntry { bool TryMoveNext(Toolhelp32.Snapshot snap, out IEntry entry); } public struct Snapshot:IDisposable { void IDisposable.Dispose() { Toolhelp32.CloseHandle(m_handle); } public Snapshot(uint flags, int processId) { m_handle=Toolhelp32.CreateToolhelp32Snapshot(flags, processId); } IntPtr m_handle; } }
[StructLayout(LayoutKind.Sequential)] public struct WinProcessEntry:Toolhelp32.IEntry { [DllImport("kernel32.dll")] public static extern bool Process32Next(Toolhelp32.Snapshot snap, ref WinProcessEntry entry); public bool TryMoveNext(Toolhelp32.Snapshot snap, out Toolhelp32.IEntry entry) { var x = new WinProcessEntry { dwSize=Marshal.SizeOf(typeof(WinProcessEntry)) }; var b = Process32Next(snap, ref x); entry=x; return b; } public int dwSize; public int cntUsage; public int th32ProcessID; public IntPtr th32DefaultHeapID; public int th32ModuleID; public int cntThreads; public int th32ParentProcessID; public int pcPriClassBase; public int dwFlags; [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)] public String fileName; //byte fileName[260]; //public const int sizeofFileName = 260; }
public static class Extensions { public static Process Parent(this Process p) { var entries = Toolhelp32.TakeSnapshot<WinProcessEntry>(Toolhelp32.SnapAll, 0); var parentid = entries.First(x => x.th32ProcessID==p.Id).th32ParentProcessID; return Process.GetProcessById(parentid); } }
我们可以像这样使用它:
测试
public class TestClass { public static void TestMethod() { var p = Process.GetCurrentProcess().Parent(); Console.WriteLine("{0}", p.Id); } }
对于替代结局..
根据文档,每种类型的条目都有一对迭代方法,例如Process32First和Process32Next用于流程的迭代;但是我发现 `xxxxFirst' 方法是不必要的,然后我想为什么不把迭代方法和它对应的条目类型放在一起呢?它会更容易实现和理解(我想是这样..)。
就像Toolhelp32后缀help一样,我认为静态帮助器类是合适的,这样我们就可以有明确的限定名称,例如Toolhelp32.Snapshot或者Toolhelp32.IEntry尽管它在这里无关紧要..
获得父进程后,如果您还想获得一些详细信息,可以轻松扩展,例如,迭代其模块,然后添加:
代码 - WinModuleEntry
[StructLayout(LayoutKind.Sequential)] public struct WinModuleEntry:Toolhelp32.IEntry { // MODULEENTRY32 [DllImport("kernel32.dll")] public static extern bool Module32Next(Toolhelp32.Snapshot snap, ref WinModuleEntry entry); public bool TryMoveNext(Toolhelp32.Snapshot snap, out Toolhelp32.IEntry entry) { var x = new WinModuleEntry { dwSize=Marshal.SizeOf(typeof(WinModuleEntry)) }; var b = Module32Next(snap, ref x); entry=x; return b; } public int dwSize; public int th32ModuleID; public int th32ProcessID; public int GlblcntUsage; public int ProccntUsage; public IntPtr modBaseAddr; public int modBaseSize; public IntPtr hModule; //byte moduleName[256]; [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)] public string moduleName; [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)] public string fileName; //byte fileName[260]; //public const int sizeofModuleName = 256; //public const int sizeofFileName = 260; }
和一些测试..
public class TestClass { public static void TestMethod() { var p = Process.GetCurrentProcess().Parent(); Console.WriteLine("{0}", p.Id); var formatter = new CustomFormatter { }; foreach(var x in Toolhelp32.TakeSnapshot<WinModuleEntry>(Toolhelp32.SnapModule, p.Id)) { Console.WriteLine(String.Format(formatter, "{0}", x)); } } } public class CustomFormatter:IFormatProvider, ICustomFormatter { String ICustomFormatter.Format(String format, object arg, IFormatProvider formatProvider) { var type = arg.GetType(); var fields = type.GetFields(); var q = fields.Select(x => String.Format("{0}:{1}", x.Name, x.GetValue(arg))); return String.Format("{{{0}}}", String.Join(", ", q.ToArray())); } object IFormatProvider.GetFormat(Type formatType) { return typeof(ICustomFormatter)!=formatType ? null : this; } }
如果你想要一个代码示例..
于 2018-01-14T12:12:58.720 回答
1
不幸的是,从 .NET 6 开始,仍然没有托管的跨平台解决方案来获取父进程。
.NET 存储库(自 2017 年 12 月 12 日起)正在讨论此问题:通过 System.Diagnostics.Process (#24423) 公开父/子进程信息。
于 2022-01-13T16:43:50.290 回答