NtGetNextProcess - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers
#ifndef _NTPSAPI_H
//
// Processes
//
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#if (PHNT_VERSION >= PHNT_WS03)

/**
 * Retrieves a handle to the next process in the system.
 *
 * @param ProcessHandle An optional handle to a process. If this parameter is NULL, the function retrieves the first process in the system.
 * @param DesiredAccess The access rights desired for the new process handle.
 * @param HandleAttributes The attributes for the new process handle.
 * @param Flags Flags that modify the behavior of the function. This can be a combination of the following flags:
 * - PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS (0x00000001): Retrieve the previous process in the system.
 * @param NewProcessHandle A pointer to a variable that receives the handle to the next process.
 * @return NTSTATUS Successful or errant status.
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtGetNextProcess(
    _In_opt_ HANDLE ProcessHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ ULONG HandleAttributes,
    _In_ ULONG Flags,
    _Out_ PHANDLE NewProcessHandle
    );

#endif
#endif
#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwGetNextProcess(
    _In_opt_ HANDLE ProcessHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ ULONG HandleAttributes,
    _In_ ULONG Flags,
    _Out_ PHANDLE NewProcessHandle
    );

#endif

View code on GitHub

This function allows iterating over processes on the system without incurring any race conditions inherent to enumerating or opening processes by ID. Call this function repeatedly to open processes one by one.

Parameters

Known flags

Access masks

For the list of process-specific access masks, see NtOpenProcess.

Notable return values

Remarks

NtGetNextProcess automatically skips inaccessible processes. In other words, it only enumerates processes for which it can return handles with the specified desired access. However, if there are no processes that satisfy this criterion at the start of enumeration (when the input handle is NULL), the function returns the error accordingly (usually STATUS_ACCESS_DENIED) instead of STATUS_NO_MORE_ENTRIES.

To avoid retaining unused resources, call NtClose to close the returned handles when they are no longer required.

This function bypasses some access checks if the caller has the SeDebugPrivilege enabled.

Related Win32 API

This functionality is not exposed in Win32 API.

See also