I'm working on an simple app to kill certain processes for personal use. I want to determine if the process is critical to the system or not, so i'm using IsProcessCritical winapi function.

Sample code:

#include <Windows.h>
#include <TlHelp32.h>

void KillProcesses() const
{
    PROCESSENTRY32 entry;
    entry.dwSize = sizeof(PROCESSENTRY32);
    
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    
    if (Process32First(snapshot, &entry) == TRUE)
    {
        while (Process32Next(snapshot, &entry) == TRUE)
        {
            HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, entry.th32ProcessID);
            BOOL isCrit = FALSE;
            std::wcout << std::endl << entry.szExeFile << std::endl;
            std::cout << "Return val: " << IsProcessCritical(hProcess, &isCrit) << std::endl;
            std::cout << "IsCrit val: " << isCrit << std::endl;
            CloseHandle(hProcess);
        }
    }
    CloseHandle(snapshot);
}

The output is (for example):

System
Return val: 0
IsCrit val: 0
...
chrome.exe
Return val: 1
IsCrit val: 0

So in Microsoft docs () it says that function using the second parameter ([out] PBOOL Critical) to "indicate whether the process is considered critical", and return value is "FALSE on failure, any other value indicates success". But what i'm seeing from output is that Critical is always FALSE, and return value is an actual indicator (and it works in reverse somehow: 1 is NotCritical, 0 is Critical). So it does the job, but not in a way i expect it to be. Am i not understanding docs in the right way, or am i just doing something wrong? Sorry if the question is dumb, i'm new to C++ and programming in general. (Specs, just in case if needed: c++20, Windows 10, Visual Studio 2022)

I'm working on an simple app to kill certain processes for personal use. I want to determine if the process is critical to the system or not, so i'm using IsProcessCritical winapi function.

Sample code:

#include <Windows.h>
#include <TlHelp32.h>

void KillProcesses() const
{
    PROCESSENTRY32 entry;
    entry.dwSize = sizeof(PROCESSENTRY32);
    
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    
    if (Process32First(snapshot, &entry) == TRUE)
    {
        while (Process32Next(snapshot, &entry) == TRUE)
        {
            HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, entry.th32ProcessID);
            BOOL isCrit = FALSE;
            std::wcout << std::endl << entry.szExeFile << std::endl;
            std::cout << "Return val: " << IsProcessCritical(hProcess, &isCrit) << std::endl;
            std::cout << "IsCrit val: " << isCrit << std::endl;
            CloseHandle(hProcess);
        }
    }
    CloseHandle(snapshot);
}

The output is (for example):

System
Return val: 0
IsCrit val: 0
...
chrome.exe
Return val: 1
IsCrit val: 0

So in Microsoft docs (https://learn.microsoft/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-isprocesscritical) it says that function using the second parameter ([out] PBOOL Critical) to "indicate whether the process is considered critical", and return value is "FALSE on failure, any other value indicates success". But what i'm seeing from output is that Critical is always FALSE, and return value is an actual indicator (and it works in reverse somehow: 1 is NotCritical, 0 is Critical). So it does the job, but not in a way i expect it to be. Am i not understanding docs in the right way, or am i just doing something wrong? Sorry if the question is dumb, i'm new to C++ and programming in general. (Specs, just in case if needed: c++20, Windows 10, Visual Studio 2022)

• c++
• winapi

Share Improve this question Follow edited Mar 6 at 9:01 Sheri asked Mar 6 at 8:57 SheriSheri 2944 bronze badges 3

• When the return value is zero, the value of isCrit is meaningless, and you should use GetLastError() to find out what the problem is. But before that, you should check that the process handle is valid. – molbdnilo Commented Mar 6 at 9:11
• Unless your program is running with quite elevated privileges (running as an administrator does not necessarily mean such elevated privileges) IsProcessCritical() can fail when interrogating system processes. It would probably also pay to check if OpenProcess() succeeds - as it can also fail for analogous reasons. – Peter Commented Mar 6 at 9:23
• you need RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &b); before OpenProcess but you probably not do this. also you skip first entry . need do while loop – RbMm Commented Mar 6 at 9:58

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 2

As people in comments said, the problem wasn't with IsProcessCritical (which works as intended), but with OpenProcess, that cannot open processes created by anybody other than User, therefore creating an invalid handle. Running .exe as asministrator partly solves the problem (only few really important system processes cannot be opened, like dwm.exe, fontdrvhost.exe etc.) It's interesting that only a few processes are considered critical by IsProcessCritical (like smss.exe, services.exe or wininit.exe), but not the "System" process for whatever reason