在 .NET 中快速获取流程所有者的方法
Fast way to get process owners in .NET
我有以下 .NET 代码可以访问 OpenProcessToken Win32 API 以检索系统上所有进程的所有者名称:
using System.Security.Principal;
using System.Runtime.InteropServices;
public class Test
{
[DllImport("advapi32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
[DllImport("kernel32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CloseHandle(IntPtr hObject);
private const UInt32 TOKEN_QUERY = 0x0008;
public static List<List<String>> GetProcessWithUsers()
{
var processes = Process.GetProcesses();
var result = new List<List<string>>();
foreach (var proc in processes)
{
result.Add(new List<string> { proc.ProcessName, GetProcessUser(proc) });
}
return result;
}
public static string GetProcessUser(Process process)
{
IntPtr tokenHandle = IntPtr.Zero;
try
{
OpenProcessToken(process.Handle, TOKEN_QUERY, out tokenHandle);
WindowsIdentity wi = new WindowsIdentity(tokenHandle);
return wi.Name;
}
catch
{
return null;
}
finally
{
if (tokenHandle != IntPtr.Zero)
{
CloseHandle(tokenHandle);
}
}
}
}
我系统上的 280 个进程调用 Test.GetProcessWithUsers()(例如在 LinqPad 中)需要将近 2 秒。
我认为这不是完成这项任务的可接受时间。
Process.GetProcesses()活泼,new WindowsIdentity()的贡献微乎其微,那么OpenProcessToken()有什么阻碍呢?是否有替代的 Win32 API 函数会更快?
大部分时间使用似乎是由.NET的Process class(合法抛出的拒绝访问异常等)引起的,所以这里是一个完整的P/Invoke版本不使用它但使用本机 CreateToolhelp32Snapshot function:
[DllImport("advapi32", SetLastError = true)]
private static extern bool OpenProcessToken(IntPtr ProcessHandle, int DesiredAccess, out IntPtr TokenHandle);
[DllImport("kernel32", SetLastError = true)]
private static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32", SetLastError = true)]
private static extern bool CloseHandle(IntPtr hObject);
[DllImport("kernel32", SetLastError = true)]
private static extern IntPtr CreateToolhelp32Snapshot(int dwFlags, int th32ProcessID);
[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Unicode)]
private static extern bool Process32First(IntPtr hSnapshot, ref PROCESSENTRY32 lppe);
[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Unicode)]
private static extern bool Process32Next(IntPtr hSnapshot, ref PROCESSENTRY32 lppe);
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
private struct PROCESSENTRY32
{
public int dwSize;
public int cntUsage;
public int th32ProcessID;
public IntPtr th32DefaultHeapID;
public int th32ModuleID;
public int cntThreads;
public int th32ParentProcessID;
public int pcPriClassBase;
public int dwFlags;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)]
public string szExeFile;
}
public static List<List<string>> GetProcessWithUsers()
{
var result = new List<List<string>>();
const int TH32CS_SNAPPROCESS = 2;
var snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
var entry = new PROCESSENTRY32();
entry.dwSize = Marshal.SizeOf<PROCESSENTRY32>();
if (Process32First(snap, ref entry))
{
do
{
const int PROCESS_QUERY_LIMITED_INFORMATION = 0x00001000;
var handle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, false, entry.th32ProcessID);
result.Add(new List<string> { entry.szExeFile, GetProcessUser(handle) });
if (handle != IntPtr.Zero)
{
CloseHandle(handle);
}
}
while (Process32Next(snap, ref entry));
}
CloseHandle(snap);
return result;
}
public static string GetProcessUser(IntPtr handle)
{
if (handle == IntPtr.Zero)
return null;
const int TOKEN_QUERY = 0x0008;
if (!OpenProcessToken(handle, TOKEN_QUERY, out var tokenHandle))
return null;
var wi = new WindowsIdentity(tokenHandle);
CloseHandle(tokenHandle);
return wi.Name;
}
在我的电脑上,我已经从 1500 毫秒减少到 30 毫秒 (x50)。
我有以下 .NET 代码可以访问 OpenProcessToken Win32 API 以检索系统上所有进程的所有者名称:
using System.Security.Principal;
using System.Runtime.InteropServices;
public class Test
{
[DllImport("advapi32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
[DllImport("kernel32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CloseHandle(IntPtr hObject);
private const UInt32 TOKEN_QUERY = 0x0008;
public static List<List<String>> GetProcessWithUsers()
{
var processes = Process.GetProcesses();
var result = new List<List<string>>();
foreach (var proc in processes)
{
result.Add(new List<string> { proc.ProcessName, GetProcessUser(proc) });
}
return result;
}
public static string GetProcessUser(Process process)
{
IntPtr tokenHandle = IntPtr.Zero;
try
{
OpenProcessToken(process.Handle, TOKEN_QUERY, out tokenHandle);
WindowsIdentity wi = new WindowsIdentity(tokenHandle);
return wi.Name;
}
catch
{
return null;
}
finally
{
if (tokenHandle != IntPtr.Zero)
{
CloseHandle(tokenHandle);
}
}
}
}
我系统上的 280 个进程调用 Test.GetProcessWithUsers()(例如在 LinqPad 中)需要将近 2 秒。
我认为这不是完成这项任务的可接受时间。
Process.GetProcesses()活泼,new WindowsIdentity()的贡献微乎其微,那么OpenProcessToken()有什么阻碍呢?是否有替代的 Win32 API 函数会更快?
大部分时间使用似乎是由.NET的Process class(合法抛出的拒绝访问异常等)引起的,所以这里是一个完整的P/Invoke版本不使用它但使用本机 CreateToolhelp32Snapshot function:
[DllImport("advapi32", SetLastError = true)]
private static extern bool OpenProcessToken(IntPtr ProcessHandle, int DesiredAccess, out IntPtr TokenHandle);
[DllImport("kernel32", SetLastError = true)]
private static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32", SetLastError = true)]
private static extern bool CloseHandle(IntPtr hObject);
[DllImport("kernel32", SetLastError = true)]
private static extern IntPtr CreateToolhelp32Snapshot(int dwFlags, int th32ProcessID);
[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Unicode)]
private static extern bool Process32First(IntPtr hSnapshot, ref PROCESSENTRY32 lppe);
[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Unicode)]
private static extern bool Process32Next(IntPtr hSnapshot, ref PROCESSENTRY32 lppe);
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
private struct PROCESSENTRY32
{
public int dwSize;
public int cntUsage;
public int th32ProcessID;
public IntPtr th32DefaultHeapID;
public int th32ModuleID;
public int cntThreads;
public int th32ParentProcessID;
public int pcPriClassBase;
public int dwFlags;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)]
public string szExeFile;
}
public static List<List<string>> GetProcessWithUsers()
{
var result = new List<List<string>>();
const int TH32CS_SNAPPROCESS = 2;
var snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
var entry = new PROCESSENTRY32();
entry.dwSize = Marshal.SizeOf<PROCESSENTRY32>();
if (Process32First(snap, ref entry))
{
do
{
const int PROCESS_QUERY_LIMITED_INFORMATION = 0x00001000;
var handle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, false, entry.th32ProcessID);
result.Add(new List<string> { entry.szExeFile, GetProcessUser(handle) });
if (handle != IntPtr.Zero)
{
CloseHandle(handle);
}
}
while (Process32Next(snap, ref entry));
}
CloseHandle(snap);
return result;
}
public static string GetProcessUser(IntPtr handle)
{
if (handle == IntPtr.Zero)
return null;
const int TOKEN_QUERY = 0x0008;
if (!OpenProcessToken(handle, TOKEN_QUERY, out var tokenHandle))
return null;
var wi = new WindowsIdentity(tokenHandle);
CloseHandle(tokenHandle);
return wi.Name;
}
在我的电脑上,我已经从 1500 毫秒减少到 30 毫秒 (x50)。