OsderdaDev

Time:

UTC+3

W
Windows APIC++System ProgrammingProcess ManagementWin32

indows API Internals: Mastering Process Handles and Information Retrieval

OsderdaDev
February 22, 2026
8 views

Modern operating systems are built on the foundational concept of process isolation. When you write a standard Windows application, your code resides in its own virtual memory space. It cannot arbitrarily read or modify the memory of another running program. However, building system utilities, debuggers, task managers, or security tools requires bridging this gap.

To interact with another process, we must ask the Windows Kernel for permission using the Windows API (WinAPI). In this article, we will dive deep into process introspection: understanding Handles, utilizing OpenProcess with the correct access flags, querying executable paths using QueryFullProcessImageNameW, and enumerating loaded modules.

1. The Key to the Kingdom: Understanding HANDLEs

In the Win32 API, a HANDLE is an opaque pointer. It does not point to a direct memory address in your application. Instead, it is an index into an internal table maintained by the Windows Kernel.

When you request access to a resource (a file, a thread, or another process), the kernel verifies your permissions. If granted, it creates an entry in your process's handle table and returns a HANDLE. Every subsequent WinAPI call using that HANDLE is routed through the kernel, which knows exactly which underlying object you are referring to.

2. Knocking on the Door: OpenProcess and Access Rights

Before you can query information about a process, you must open it using OpenProcess. The signature looks like this:

cpp
HANDLE OpenProcess(
  DWORD dwDesiredAccess,
  BOOL  bInheritHandle,
  DWORD dwProcessId
);

The Trap of PROCESS_ALL_ACCESS

A common mistake among junior developers is requesting PROCESS_ALL_ACCESS. While this might work during local debugging with administrative rights, it is a bad practice in production.

Requesting more permissions than necessary triggers Modern Antivirus (AV) heuristics and will fail on system-level or Protected Processes (PPL). You should always practice the Principle of Least Privilege.

* `PROCESS_QUERY_LIMITED_INFORMATION`: Introduced in Windows Vista, this is the safest flag. It allows you to get basic information (like the executable path and exit code) without requiring deep inspection rights. It even works on many protected processes.

* `PROCESS_QUERY_INFORMATION`: Required for older APIs or deep inspection.

* `PROCESS_VM_READ`: Required if you need to read the memory of the target process (e.g., to read its command line arguments or enumerate its loaded modules via PSAPI).

3. Identifying the Target: QueryFullProcessImageNameW

Historically, developers used GetModuleFileNameEx or GetProcessImageFileName to find out which executable a process was running. These older APIs have caveats: they require PROCESS_VM_READ rights and often return device paths (e.g., \Device\HarddiskVolume3\Windows\...) instead of standard DOS paths.

The modern, robust solution is QueryFullProcessImageNameW. It only requires PROCESS_QUERY_LIMITED_INFORMATION.

cpp
BOOL QueryFullProcessImageNameW(
  HANDLE hProcess,
  DWORD  dwFlags,
  LPWSTR lpExeName,
  PDWORD lpdwSize
);

* dwFlags: Passing 0 returns a standard Win32 path (e.g., C:\Windows\System32\cmd.exe). Passing PROCESS_NAME_NATIVE returns the native NT path.

* lpdwSize: An in/out parameter. You pass the size of your buffer, and it returns the number of characters written.

4. Exploring the Process Space: Modules and DLLs

A process is rarely just a single .exe file; it is a collection of loaded Dynamic Link Libraries (DLLs) known as modules. To list these modules, we use the Process Status API (PSAPI) function EnumProcessModules.

Because enumerating modules requires reading the internal Loader Data Table (Ldr) inside the target process's memory (specifically the PEB - Process Environment Block), you must open the process with PROCESS_QUERY_INFORMATION | PROCESS_VM_READ.

5. Scenario: A C++ Process Inspector

Let's combine these concepts into a production-ready C++ utility. This console application takes a Process ID (PID), securely opens it, retrieves its full executable path, and lists all DLLs currently loaded into its memory space.

cpp
#include <windows.h>
#include <psapi.h> // For EnumProcessModules
#include <iostream>
#include <vector>
#include <string>

// Link against Psapi.lib
#pragma comment(lib, "Psapi.lib")

void InspectProcess(DWORD processID) {
    std::wcout << L"Inspecting PID: " << processID << L"\n";
    std::wcout << L"----------------------------------\n";

    // 1. Open the process with minimum required privileges
    // We need QUERY_INFORMATION and VM_READ to enumerate modules
    HANDLE hProcess = OpenProcess(
        PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, 
        FALSE, 
        processID
    );

    if (hProcess == NULL) {
        std::wcerr << L"[ERROR] Could not open process. Error Code: " 
                   << GetLastError() << L"\n";
        return;
    }

    // 2. Get the full process image name
    WCHAR exePath[MAX_PATH];
    DWORD pathSize = MAX_PATH;
    
    if (QueryFullProcessImageNameW(hProcess, 0, exePath, &pathSize)) {
        std::wcout << L"[+] Executable Path: " << exePath << L"\n";
    } else {
        std::wcerr << L"[-] Failed to retrieve image name. Error: " 
                   << GetLastError() << L"\n";
    }

    // 3. Enumerate loaded modules (DLLs)
    HMODULE hMods[1024];
    DWORD cbNeeded;

    if (EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded)) {
        // Calculate how many modules were returned
        int moduleCount = cbNeeded / sizeof(HMODULE);
        std::wcout << L"[+] Loaded Modules (" << moduleCount << L"):\n";

        for (int i = 0; i < moduleCount; i++) {
            WCHAR moduleName[MAX_PATH];

            // Get the full path to the module's file
            if (GetModuleFileNameExW(hProcess, hMods[i], moduleName, sizeof(moduleName) / sizeof(WCHAR))) {
                std::wcout << L"    - " << moduleName << L"\n";
            }
        }
    } else {
        std::wcerr << L"[-] Failed to enumerate modules. Error: " 
                   << GetLastError() << L"\n";
    }

    // 4. CRITICAL: Always close the handle to prevent memory/resource leaks
    CloseHandle(hProcess);
    std::wcout << L"----------------------------------\n\n";
}

int main() {
    // Example: Inspecting the current process
    // In a real scenario, you might pass a PID obtained from EnumProcesses()
    DWORD currentPID = GetCurrentProcessId();
    InspectProcess(currentPID);

    return 0;
}

Working with the Windows API requires a careful balancing act between acquiring necessary information and respecting the security boundaries established by the OS. By mastering handle management, understanding the nuances of access rights, and utilizing modern APIs like QueryFullProcessImageNameW, you can build performant and secure Windows system utilities.

Osderda

Senior Software Engineer

With a diverse background in Windows system programming, scalable Backend infrastructure, native Android development, and server management, I strive to bridge the gap between different technology stacks. My goal is to simplify complex coding concepts and share actionable knowledge through concise, technical documentation.

GitHub

Related Articles

Windows Threading Primitives: CreateThread, QueueUserWorkItem, and std::thread

Choosing the right concurrency model on Windows is critical for performance and stability. This guide compares the raw Win32 APIs against modern C++ abstractions, detailing when to use the System Thread Pool versus dedicated threads.

February 22, 20266 min

Windows Dissecting the PEB in x86 and WoW64 Architectures

A deep dive into the Process Environment Block (PEB), the user-mode heart of every Windows process. We explore how to locate and manipulate the PEB across 32-bit and 64-bit boundaries, with a focus on the unique challenges of WoW64.

February 3, 20266 min

Discussion (0)