NtGetNextProcess - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTPSAPI_H
// Processes
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#if (PHNT_VERSION >= PHNT_WS03)
/**
* Retrieves a handle to the next process in the system.
*
* @param ProcessHandle An optional handle to the current process.
* @param DesiredAccess The access rights desired for the new process handle.
* @param HandleAttributes The attributes for the new process handle.
* @param Flags Flags that modify the behavior of the function.
* @param NewProcessHandle A pointer to a variable that receives the handle to the next process.
* @return NTSTATUS Successful or errant status.
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtGetNextProcess(
_In_opt_ HANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ ULONG HandleAttributes,
_In_ ULONG Flags,
_Out_ PHANDLE NewProcessHandle
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwGetNextProcess(
_In_opt_ HANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ ULONG HandleAttributes,
_In_ ULONG Flags,
_Out_ PHANDLE NewProcessHandle
);
View code on GitHubThis function allows iterating over processes on the system without incurring any race conditions inherent to enumerating or opening processes by ID. Call this function repeatedly to open processes one by one.
ProcessHandle - a handle to the previous process to continue enumeration from or NULL to restart enumeration. The handle doesn't need to grant any particular access.DesiredAccess - the process access mask expected on the opened handle.HandleAttributes - flags that control the property of the handle, such as its inheritance (OBJ_INHERIT).Flags - the bit mask that controls the operation. See below for known values.NewProcessHandle - a pointer to a variable that receives a handle to the opened process.PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS - reverses enumeration order by opening the previous process instead of the next one.For the list of process-specific access masks, see NtOpenProcess.
STATUS_SUCCESS - the function opened the next/previous process.STATUS_NO_MORE_ENTRIES - the function failed because there are no more accessible processes to enumerate.NtGetNextProcess automatically skips inaccessible processes. In other words, it only enumerates processes for which it can return handles with the specified desired access. However, if there are no processes that satisfy this criterion at the start of enumeration (when the input handle is NULL), the function returns the error accordingly (usually STATUS_ACCESS_DENIED) instead of STATUS_NO_MORE_ENTRIES.
To avoid retaining unused resources, call NtClose to close the returned handles when they are no longer required.
This function bypasses some access checks if the caller has the SeDebugPrivilege enabled.
This functionality is not exposed in Win32 API.