in providers/windows/process_windows.go [100:160]
func (p *process) init() error {
handle, err := p.open()
if err != nil {
return err
}
defer syscall.CloseHandle(handle)
var path string
if imgf, err := windows.GetProcessImageFileName(handle); err == nil {
path, err = devMapper.DevicePathToDrivePath(imgf)
if err != nil {
path = imgf
}
}
var creationTime, exitTime, kernelTime, userTime syscall.Filetime
if err := syscall.GetProcessTimes(handle, &creationTime, &exitTime, &kernelTime, &userTime); err != nil {
return err
}
// Try to read the RTL_USER_PROCESS_PARAMETERS struct from the target process
// memory. This can fail due to missing access rights or when we are running
// as a 32bit process in a 64bit system (WOW64).
// Don't make this a fatal error: If it fails, `args` and `cwd` fields will
// be missing.
var args []string
var cwd string
var ppid int
pbi, err := getProcessBasicInformation(syswin.Handle(handle))
if err == nil {
ppid = int(pbi.InheritedFromUniqueProcessID)
userProcParams, err := getUserProcessParams(syswin.Handle(handle), pbi)
if err == nil {
if argsW, err := readProcessUnicodeString(handle, &userProcParams.CommandLine); err == nil {
args, err = splitCommandline(argsW)
if err != nil {
args = nil
}
}
if cwdW, err := readProcessUnicodeString(handle, &userProcParams.CurrentDirectoryPath); err == nil {
cwd, _, err = windows.UTF16BytesToString(cwdW)
if err != nil {
cwd = ""
}
// Remove trailing separator
cwd = strings.TrimRight(cwd, "\\")
}
}
}
p.info = types.ProcessInfo{
Name: filepath.Base(path),
PID: p.pid,
PPID: ppid,
Exe: path,
Args: args,
CWD: cwd,
StartTime: time.Unix(0, creationTime.Nanoseconds()),
}
return nil
}