{
	"id": "015d62ea-204f-4ec1-a239-8a216e9e327b",
	"created_at": "2026-04-06T15:53:13.35316Z",
	"updated_at": "2026-04-10T13:13:02.047887Z",
	"deleted_at": null,
	"sha1_hash": "493fe697687d789c1392491d824745825662d121",
	"title": "Taking a snapshot, viewing processes - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59670,
	"plain_text": "Taking a snapshot, viewing processes - Win32 apps\r\nBy Karl-Bridge-Microsoft\r\nArchived: 2026-04-06 15:39:37 UTC\r\nThis code example retrieves a list of running processes. First, the GetProcessList function takes a snapshot of\r\ncurrently executing processes in the system. To do that, it uses the CreateToolhelp32Snapshot function, and then\r\nit walks through the list recorded in the snapshot by using Process32First and Process32Next. For each process\r\nin turn, GetProcessList calls the ListProcessModules function, which is described in Traversing the module list,\r\nand the ListProcessThreads function, which is described in Traversing the thread list.\r\nA simple error-reporting function, printError, displays the reason for any failures (which typically result from\r\nsecurity restrictions). For example, OpenProcess fails for the Idle and CSRSS processes because their access\r\nrestrictions prevent user-level code from opening them.\r\nTo follow along with the code example, use Visual Studio to create a new project from the C++ Console App\r\nproject template, and add the code below to it.\r\n#include \u003cwindows.h\u003e\r\n#include \u003ctlhelp32.h\u003e\r\n#include \u003ctchar.h\u003e\r\n#include \u003cstdio.h\u003e\r\n// Forward declarations:\r\nBOOL GetProcessList( );\r\nBOOL ListProcessModules( DWORD dwPID );\r\nBOOL ListProcessThreads( DWORD dwOwnerPID );\r\nvoid printError( TCHAR const* msg );\r\nint main( void )\r\n{\r\n GetProcessList( );\r\n return 0;\r\n}\r\nBOOL GetProcessList( )\r\n{\r\n HANDLE hProcessSnap;\r\n HANDLE hProcess;\r\n PROCESSENTRY32 pe32;\r\n DWORD dwPriorityClass;\r\n // Take a snapshot of all processes in the system.\r\nhttps://msdn.microsoft.com/library/windows/desktop/ms686701.aspx\r\nPage 1 of 5\n\nhProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );\r\n if( hProcessSnap == INVALID_HANDLE_VALUE )\r\n {\r\n printError( TEXT(\"CreateToolhelp32Snapshot (of processes)\") );\r\n return( FALSE );\r\n }\r\n // Set the size of the structure before using it.\r\n pe32.dwSize = sizeof( PROCESSENTRY32 );\r\n // Retrieve information about the first process,\r\n // and exit if unsuccessful\r\n if( !Process32First( hProcessSnap, \u0026pe32 ) )\r\n {\r\n printError( TEXT(\"Process32First\") ); // show cause of failure\r\n CloseHandle( hProcessSnap ); // clean the snapshot object\r\n return( FALSE );\r\n }\r\n // Now walk the snapshot of processes, and\r\n // display information about each process in turn\r\n do\r\n {\r\n _tprintf( TEXT(\"\\n\\n=====================================================\" ));\r\n _tprintf( TEXT(\"\\nPROCESS NAME: %s\"), pe32.szExeFile );\r\n _tprintf( TEXT(\"\\n-------------------------------------------------------\" ));\r\n // Retrieve the priority class.\r\n dwPriorityClass = 0;\r\n hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );\r\n if( hProcess == NULL )\r\n printError( TEXT(\"OpenProcess\") );\r\n else\r\n {\r\n dwPriorityClass = GetPriorityClass( hProcess );\r\n if( !dwPriorityClass )\r\n printError( TEXT(\"GetPriorityClass\") );\r\n CloseHandle( hProcess );\r\n }\r\n _tprintf( TEXT(\"\\n Process ID = 0x%08X\"), pe32.th32ProcessID );\r\n _tprintf( TEXT(\"\\n Thread count = %d\"), pe32.cntThreads );\r\n _tprintf( TEXT(\"\\n Parent process ID = 0x%08X\"), pe32.th32ParentProcessID );\r\n _tprintf( TEXT(\"\\n Priority base = %d\"), pe32.pcPriClassBase );\r\n if( dwPriorityClass )\r\n _tprintf( TEXT(\"\\n Priority class = %d\"), dwPriorityClass );\r\nhttps://msdn.microsoft.com/library/windows/desktop/ms686701.aspx\r\nPage 2 of 5\n\n// List the modules and threads associated with this process\r\n ListProcessModules( pe32.th32ProcessID );\r\n ListProcessThreads( pe32.th32ProcessID );\r\n } while( Process32Next( hProcessSnap, \u0026pe32 ) );\r\n CloseHandle( hProcessSnap );\r\n return( TRUE );\r\n}\r\nBOOL ListProcessModules( DWORD dwPID )\r\n{\r\n HANDLE hModuleSnap = INVALID_HANDLE_VALUE;\r\n MODULEENTRY32 me32;\r\n // Take a snapshot of all modules in the specified process.\r\n hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID );\r\n if( hModuleSnap == INVALID_HANDLE_VALUE )\r\n {\r\n printError( TEXT(\"CreateToolhelp32Snapshot (of modules)\") );\r\n return( FALSE );\r\n }\r\n // Set the size of the structure before using it.\r\n me32.dwSize = sizeof( MODULEENTRY32 );\r\n // Retrieve information about the first module,\r\n // and exit if unsuccessful\r\n if( !Module32First( hModuleSnap, \u0026me32 ) )\r\n {\r\n printError( TEXT(\"Module32First\") ); // show cause of failure\r\n CloseHandle( hModuleSnap ); // clean the snapshot object\r\n return( FALSE );\r\n }\r\n // Now walk the module list of the process,\r\n // and display information about each module\r\n do\r\n {\r\n _tprintf( TEXT(\"\\n\\n MODULE NAME: %s\"), me32.szModule );\r\n _tprintf( TEXT(\"\\n Executable = %s\"), me32.szExePath );\r\n _tprintf( TEXT(\"\\n Process ID = 0x%08X\"), me32.th32ProcessID );\r\n _tprintf( TEXT(\"\\n Ref count (g) = 0x%04X\"), me32.GlblcntUsage );\r\n _tprintf( TEXT(\"\\n Ref count (p) = 0x%04X\"), me32.ProccntUsage );\r\n _tprintf( TEXT(\"\\n Base address = 0x%08X\"), (DWORD) me32.modBaseAddr );\r\n _tprintf( TEXT(\"\\n Base size = %d\"), me32.modBaseSize );\r\nhttps://msdn.microsoft.com/library/windows/desktop/ms686701.aspx\r\nPage 3 of 5\n\n} while( Module32Next( hModuleSnap, \u0026me32 ) );\r\n CloseHandle( hModuleSnap );\r\n return( TRUE );\r\n}\r\nBOOL ListProcessThreads( DWORD dwOwnerPID )\r\n{\r\n HANDLE hThreadSnap = INVALID_HANDLE_VALUE;\r\n THREADENTRY32 te32;\r\n \r\n // Take a snapshot of all running threads\r\n hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );\r\n if( hThreadSnap == INVALID_HANDLE_VALUE )\r\n return( FALSE );\r\n \r\n // Fill in the size of the structure before using it.\r\n te32.dwSize = sizeof(THREADENTRY32);\r\n \r\n // Retrieve information about the first thread,\r\n // and exit if unsuccessful\r\n if( !Thread32First( hThreadSnap, \u0026te32 ) )\r\n {\r\n printError( TEXT(\"Thread32First\") ); // show cause of failure\r\n CloseHandle( hThreadSnap ); // clean the snapshot object\r\n return( FALSE );\r\n }\r\n // Now walk the thread list of the system,\r\n // and display information about each thread\r\n // associated with the specified process\r\n do\r\n {\r\n if( te32.th32OwnerProcessID == dwOwnerPID )\r\n {\r\n _tprintf( TEXT(\"\\n\\n THREAD ID = 0x%08X\"), te32.th32ThreadID );\r\n _tprintf( TEXT(\"\\n Base priority = %d\"), te32.tpBasePri );\r\n _tprintf( TEXT(\"\\n Delta priority = %d\"), te32.tpDeltaPri );\r\n _tprintf( TEXT(\"\\n\"));\r\n }\r\n } while( Thread32Next(hThreadSnap, \u0026te32 ) );\r\n CloseHandle( hThreadSnap );\r\n return( TRUE );\r\n}\r\nhttps://msdn.microsoft.com/library/windows/desktop/ms686701.aspx\r\nPage 4 of 5\n\nvoid printError( TCHAR const* msg )\r\n{\r\n DWORD eNum;\r\n TCHAR sysMsg[256];\r\n TCHAR* p;\r\n eNum = GetLastError( );\r\n FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,\r\n NULL, eNum,\r\n MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language\r\n sysMsg, 256, NULL );\r\n // Trim the end of the line and terminate it with a null\r\n p = sysMsg;\r\n while( ( *p \u003e 31 ) || ( *p == 9 ) )\r\n ++p;\r\n do { *p-- = 0; } while( ( p \u003e= sysMsg ) \u0026\u0026\r\n ( ( *p == '.' ) || ( *p \u003c 33 ) ) );\r\n // Display the message\r\n _tprintf( TEXT(\"\\n WARNING: %s failed with error %d (%s)\"), msg, eNum, sysMsg );\r\n}\r\nSnapshots of the system\r\nSource: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx\r\nhttps://msdn.microsoft.com/library/windows/desktop/ms686701.aspx\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx"
	],
	"report_names": [
		"ms686701.aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775490793,
	"ts_updated_at": 1775826782,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/493fe697687d789c1392491d824745825662d121.pdf",
		"text": "https://archive.orkl.eu/493fe697687d789c1392491d824745825662d121.txt",
		"img": "https://archive.orkl.eu/493fe697687d789c1392491d824745825662d121.jpg"
	}
}