2,782 questions
Problem in identifying System Invoked Process
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 61%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
checkingrandom
226
Reputation points
Hi There,
I just want to identify the process created is a system invoked process or user invoked process.
for identifying the difference i just made a check that is the parent ID is an Explorer.exe then it is User invoked process.
this condition works well for normal application.
Now, there comes the Windows Store apps, for Windows store apps for both system invoked and user invoked the parent will be SVCHOST.exe
so i cant able to differentiate the system and user invoked for windows store apps.
can anyone help me in this case to differentiate user and system invoked for windows store apps.
Note: I have also tired using checking for visible windows and it not worked
Windows development Windows API - Win32
Developer technologies C++
3,972 questions
{count} votes
-
YujianYao-MSFT 4,296 Reputation points Microsoft External Staff2022-09-27T08:32:39.017+00:00 Hi @checkingrandom ,
To help everyone understand your question, could you please tell me the following information:
- Which app's parent will be SVCHOST.exe?
- How to understand the System Invoked Process and User invoked process you mentioned?
- What project are you currently using?
-
checkingrandom 226 Reputation points
2022-09-27T09:51:34.62+00:00 Hi
Answer For Question 1:
SVCHOST.exe will be the parent for the Windows Store Apps like (calendar, photos).Answer for Question 2:
The concept is that when user clicks the apps and opens the application then it is User Invoked (example: opening IE, Edge browser or any other application)
,Then there comes the System invoked, example(Chrome updates) and the application that are opening without the help of user click or user intervention.For the Third question I cant understand your question. from my understanding i'm answering the question.
I'm using visual studio 2019 and the windows desktop application project.Hope it is helpful.
thanks
-
RLWA32 49,536 Reputation points2022-09-27T09:54:32.52+00:00 What if the user opens a command prompt window and then runs an application? The parent process will be cmd.exe. Do you consider that to be user invoked or system invoked?
Generally, any application that starts another process will be the parent process. What about those?
-
checkingrandom 226 Reputation points
2022-09-27T10:13:30.913+00:00 I haven't covered that situation so far.
But thinking about your question I think all comes as User Invoked. Because when we run a application using command prompt at the end, the last parent will be Explore.
From your context I will loop through the parent PID to the end to find whether Explorer.exe is present.
Because for all those SYSTEM Invoked process there wont be any involvement of EXPLORER.exe
-
RLWA32 49,536 Reputation points
2022-09-27T10:35:08.793+00:00 But thinking about your question I think all comes as User Invoked. Because when we run a application using command prompt at the end, the last parent will be Explore.
Maybe not. I can start notepad from a command prompt and then close the command prompt. The process id of notepad's parent will now be either invalid or reused by Windows.
You also aren't considering parent process id spoofing.
If you tell us the actual problem you are trying to solve we might have some suggestions.
-
checkingrandom 226 Reputation points
2022-09-27T10:50:05.077+00:00 If you tell us the actual problem you are trying to solve we might have some suggestions.
The Main Task is to I have to differentiate the User Invoked and System Invoked process.
For the User invoked process I'm taking into account only the User clicked and opened Applications. not the application opening using command prompt and other ways.
So for the above mentioned context, when I double click an application, explorer.exe will be the parent.
but for windows store apps, example I'm opening calendar using double click, the parent wont be explorer.exe the parent will be SVCHOST.exe.
In this scenario my condition fails.
-
RLWA32 49,536 Reputation points
2022-09-27T10:52:17.157+00:00 The Main Task is to I have to differentiate the User Invoked and System Invoked process.
And what problem does this differentiation solve?
Additionally, COM servers started by the system on behalf of a user will not be started by Explorer.exe.
-
checkingrandom 226 Reputation points
2022-09-27T11:11:48.437+00:00 Im trying to block the exe when it is user invoked(clicked and opened by user). if it is an system invoked I'll be allowing the process to continue without blocking.
-
RLWA32 49,536 Reputation points
2022-09-27T11:24:12.073+00:00 As you have seen, Windows does not discriminate between "user invoked" and "system invoked".
Im trying to block the exe when it is user invoked(clicked and opened by user).
This would make for a pretty unusable system. There's got to be more that you're not telling us about.
-
checkingrandom 226 Reputation points
2022-09-27T12:03:57.757+00:00 No this is the base of what Im doing and why I came to Microsoft Q&A. I'm just trying it out to block the application when it is opened using double clicking it.
-
Jeanine Zhang-MSFT 11,356 Reputation points Microsoft External Staff2022-09-28T03:01:37.113+00:00 I suggest you could refer to the Blog: How does Task Manager categorize processes as App, Background Process, or Windows Process?
The system itself doesn’t really care what kind of processes they are.
Sign in to comment
Sign in to answer