完整的进程结束代码.请教如何判断进程是否为系统进程.

模块内容:
------------------------------------------
'--------循环杀掉相应进程
Public Type PROCESSENTRY32
    dwSize As Long
    cntUsage As Long
    th32ProcessID As Long
    th32DefaultHeapID As Long
    th32ModuleID As Long
    cntThreads As Long
    th32ParentProcessID As Long
    pcPriClassBase As Long
    dwFlags As Long
    szExeFile As String * 260
End Type
Public Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Public Declare Function Process32First Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function Process32Next Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long
Public Declare Function TerminateProcess Lib "kernel32" (ByVal ApphProcess As Long, ByVal uExitCode As Long) As Long
Public Declare Sub CloseHandle Lib "kernel32" (ByVal hPass As Long)
Public Const TH32CS_SNAPPROCESS = &H2&
--------------------------------------------窗体代码:
--------------------------------------------
Public Sub KillProcess(a)
On Error Resume Next     Dim lSnapShot As Long
    Dim lNextProcess As Long
    Dim tPE As PROCESSENTRY32
    lSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)
    If lSnapShot <> -1 Then
        tPE.dwSize = Len(tPE)
        lNextProcess = Process32First(lSnapShot, tPE)
        Do While lNextProcess
                Dim lProcess As Long
                Dim lExitCode As LongIf Left(tPE.szExeFile, InStr(1, tPE.szExeFile, Chr(0)) - 1) = "services.exe"  Then                lProcess = OpenProcess(1, False, tPE.th32ProcessID)
                TerminateProcess lProcess, lExitCode
                CloseHandle lProcess
End If
            lNextProcess = Process32Next(lSnapShot, tPE)
        Loop
        CloseHandle (lSnapShot)
    End IfEnd Sub
Private Sub Form_Load()
KillProcess (a)
End Sub
以上是一个关闭进程的实例,查找进程中是否有services.exe,如果有,则关闭.
我想做的是一个病毒查杀工具,但是遇到一个问题,services.exe有两个,一个是系统自己的,一个是病毒,当然,位置不一样.请问,如何获取到这个进程的所在位置?或者如何判断这个进程是属于system的?请高手帮忙解答,最后20分..祝大家新年快乐.

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

你可以简单点从路径上判断,系统的services.exe一般肯定在system32下
以楼主现在的水平，想做杀毒恐怕太难了。
你这个只能杀普通的进程。对于模块路径很容易找，不过那用处不大。
判断是否是系统进程，一般判断父进程应该可以。
其实xp等高级版本就一个是系统进程就是System Idle Process名字一般就是
System Prcoess优先级是0没有父进程创建线程数是1
System进程优先级是8父进程是0经常创建很多线程
smss.exe父进程是System优先级11
csrss.exe父进程是smss.exe优先级是13
winlogon.exe父进程是csrss.exe优先级13
services.exe父进程是winlogon.exe优先级是9不知道你为何要结束这个进程。
explorer.exe就是资源管理器，显示桌面和任务栏的程序.
如果services.exe是病毒的话父进程是Explorer.exe
Option Explicit
Private Const TOKEN_READ As Long = &H20008
Private Const SECURITY_BUILTIN_DOMAIN_RID As Long = &H20&
Private Const SECURITY_NT_AUTHORITY As Long = &H5
Private Const PROCESS_QUERY_INFORMATION As Long = 1024
Private Const PROCESS_VM_READ As Long = 16
Private Const DOMAIN_ALIAS_RID_USERS = &H221
Private Const TokenUser = 1
Private Type SID_IDENTIFIER_AUTHORITY
Value(6) As Byte
End Type
Private Type SID_AND_ATTRIBUTES
SID As Long
Attributes As Long
End Type
Private Type TOKEN_USER
User As SID_AND_ATTRIBUTES
SID(500) As Byte
End Type
Private Declare Function LookupAccountSid Lib "advapi32.dll" Alias "LookupAccountSidA" (ByVal lpSystemName As String, ByVal SID As Long, ByVal name As String, cbName As Long, ByVal ReferencedDomainName As String, cbReferencedDomainName As Long, peUse As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function GetTokenInformation Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal TokenInformationClass As Long, TokenInformation As Any, ByVal TokenInformationLength As Long, ReturnLength As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As LongPublic Function GetProcessUserName(ByVal ProcessID As Long) As String
Dim hProcessID As Long
Dim hToken As Long
Dim res As Long
Dim cbBuff As Long
Dim tiLen As Long
Dim TU As TOKEN_USER
Dim cnt As Long
Dim sAcctName2 As String
Dim cbAcctName As Long
Dim sDomainName As String
Dim cbDomainName As Long
Dim peUse As Long
Dim barr() As Byte
hProcessID = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, ProcessID)
If hProcessID <> 0 Then
If OpenProcessToken(hProcessID, TOKEN_READ, hToken) = 1 Then
res = GetTokenInformation(hToken, TokenUser, ByVal 0, tiLen, cbBuff)
If res = 0 And cbBuff > 0 Then
tiLen = cbBuff
If cbBuff > Len(TU) Then Exit Function
res = GetTokenInformation(hToken, TokenUser, TU, tiLen, cbBuff)
If res = 1 And tiLen > 0 Then
sAcctName2 = Space$(255)
sDomainName = Space$(255)
cbAcctName = 255
cbDomainName = 255
res = LookupAccountSid(vbNullString, TU.User.SID, sAcctName2, cbAcctName, sDomainName, cbDomainName, peUse)
GetProcessUserName = Replace(Trim(sAcctName2), Chr(0), "")
End If
End If
End If
If hToken Then CloseHandle hToken
CloseHandle hProcessID
End If
End Function
你下载 http://yuan505.vicp.net/cy_filesxxx/vbsrc/vbapihooker.rar
然后进入VBAPIHooker文件夹,在frmMain里有一个GetModEntries函数可以枚举指定进程所有模块的函数,其中的.szExePath就可以获得你要的信息
th32ParentProcessID 判断这个就好了父进程ID 参照xx22nn
services.exe父进程只要不是winlogon.exe
就是一般的程序（在services.exe没有被感染或者替换的时候）
看看我上传的几个VB程序
http://download.csdn.net/user/xx22nn/