Читаем Windows® Internals, Sixth Edition, Part 1 полностью

One unique attribute about a process that most tools don’t display is the parent or creator process ID. You can retrieve this value with the Performance Monitor (or programmatically) by querying the Creating Process ID. The Tlist.exe tool (in the Debugging Tools for Windows) can show the process tree by using the /t switch. Here’s an example of output from tlist /t:C:\>tlist /t System Process (0) System (4) smss.exe (224) csrss.exe (384) csrss.exe (444) conhost.exe (3076) OleMainThreadWndName winlogon.exe (496) wininit.exe (504) services.exe (580) svchost.exe (696) svchost.exe (796) svchost.exe (912) svchost.exe (948) svchost.exe (988) svchost.exe (244) WUDFHost.exe (1008) dwm.exe (2912) DWM Notification Window btwdins.exe (268) svchost.exe (1104) svchost.exe (1192) svchost.exe (1368) svchost.exe (1400) spoolsv.exe (1560) svchost.exe (1860) svchost.exe (1936) svchost.exe (1124) svchost.exe (1440) svchost.exe (2276) taskhost.exe (2816) Task Host Window svchost.exe (892) lsass.exe (588) lsm.exe (596) explorer.exe (2968) Program Manager cmd.exe (1832) Administrator: C:\Windows\system32\cmd.exe - "c:\tlist.exe" /t tlist.exe (2448)

The list indents each process to show its parent/child relationship. Processes whose parents aren’t alive are left-justified (as is Explorer.exe in the preceding example) because even if a grandparent process exists, there’s no way to find that relationship. Windows maintains only the creator process ID, not a link back to the creator of the creator, and so forth.

To demonstrate the fact that Windows doesn’t keep track of more than just the parent process ID, follow these steps:

Open a Command Prompt window.

Type title Parent (to change the window title to Parent).

Type start cmd (which starts a second command prompt).

Type title Child in the second command prompt.

Bring up Task Manager.

Type mspaint (which runs Microsoft Paint) in the second command prompt.

Go back to the second command prompt and type exit. (Notice that Paint remains.)

Switch to Task Manager.

Click on the Applications tab.

Right-click on the Parent task, and select Go To Process.

Right-click on this cmd.exe process, and select End Process Tree.

Click End Process Tree in the Task Manager confirmation message box.

The first command prompt window will disappear, but you should still see the Paint window because it was the grandchild of the command prompt process you terminated; and because the intermediate process (the parent of Paint) was terminated, there was no link between the parent and the grandchild.

A number of tools for viewing (and modifying) processes and process information are available. The following experiments illustrate the various views of process information you can obtain with some of these tools. While many of these tools are included within Windows itself and within the Debugging Tools for Windows and the Windows SDK, others are stand-alone tools from Sysinternals. Many of these tools show overlapping subsets of the core process and thread information, sometimes identified by different names.

Probably the most widely used tool to examine process activity is Task Manager. (Because there is no such thing as a “task” in the Windows kernel, the name of this tool, Task Manager, is a bit odd.) The following experiment shows the difference between what Task Manager lists as applications and processes.

EXPERIMENT: Viewing Process Information with Task Manager

The built-in Windows Task Manager provides a quick list of the processes on the system. You can start Task Manager in one of four ways: (1) press Ctrl+Shift+Esc, (2) right-click on the taskbar and click Start Task Manager, (3) press Ctrl+Alt+Delete and click the Start Task Manager button, or (4) start the executable Taskmgr.exe. Once Task Manager has started, click on the Processes tab to see the list of processes. Notice that processes are identified by the name of the image of which they are an instance. Unlike some objects in Windows, processes can’t be given global names. To display additional details, choose Select Columns from the View menu and select additional columns to be added, as shown here: