Is it possible to detect how .exe was launched?

Question

Is it possible to detect how .exe was launched?

I want to determine if a given exe was programmatic, or if it was entered and executed interactively, for example in CMD.EXE.

Is there anything about how exe starts that indicates the mechanism that was used to start it?

Context: languages Windows XP, Visual Studio 6.

+3

exe winapi vb6 shellexecute

bugmagnet Aug 31 '11 at 5:39

source share

2 answers

You can differ from CMD and Explorer by checking the parent process, but you cannot determine if this was due to user action or not. Also, AFAIK, all ways to start a process lead to the same call to NtCreateProcess / PspCreateProcess, so you cannot determine which API was used.

+3

hamstergene Aug 31 '11 at 6:15

source share

eran · Accepted Answer · 2011-08-31T06:03:35+0000

There may be an easier way, but the only way I can come up with is to check the name of the parent process, which includes several steps:

Get the identifier of the parent process .
Get the process descriptor using the identifier.
Use GetModuleFileNameEx with the descriptor found (and NULL as a module) to get the executable name.
Check if the executable name is cmd.exe or something else.

Keep in mind that the parent process may already disappear when (or for now) you complete this check.

Edit:

If your program is a console application, you can also check the console in which it is running. If it was launched from cmd, it will usually use the same console. So, you can use GetConsoleTitle , and see if it is a Command Prompt. This may not work in localized or different versions of Windows, but it is easy if you have limited cases. You can also use GetConsoleWindow and GetWindowThreadProcessId instead of steps 1 and 2.

Is it possible to detect how .exe was launched?

More articles: