log processes started via RunAs (IMPLEMENTED)

Suggestions

log processes started via RunAs (IMPLEMENTED)

animal 11-13-2007, 6:57
I often run programs under a different user account than the one I'm logged in as by using the "Run as" command. TimeSnapper captures these windows alright but it seems it does not log their process names and window titles. Would this be possible somehow or is Windows security preventing this?

The problem is that one of the apps I have to run with elevated privileges is actually my development IDE (only because of an ill-behaving license protection in an IDE plugin we're using)... obviously it kind of diminishes the usefulness of the productivity reports a bit that I cannot make TimeSnapper regard time spent in my single most productive application as such...

Cheers,

Oliver

Re: log processes started via RunAs

AtliB 11-13-2007, 9:14
Hi Oliver,

have you taken a look at this thread:
http://forums.timesnapper.com/forums/131/ShowPost.aspx

Let us know if this is adequate for you!

Thanks
Atli

Check out TimeSnapper, the automatic screenshot journal at www.timesnapper.com

It runs in the background of your computer, taking screenshots of your desktop every few seconds all week long.

TimeSnapper lets you play back your week just like a movie. Use it to improve your work habits and become more productive.

Re: log processes started via RunAs

animal 11-14-2007, 7:17
Thanks!

I was suspecting that running TS itself with elevated privileges would do the trick (it does indeed!) but was hoping that there was some other way as I'm not quite comfortable with hardcoding my admin password somewhere... I guess for the time being I'll just prefix the TS start menu shortcut with RunAs and enter the password manually on each reboot.

Actually, I know first hand that there is another way: I just wrote a very simple test application using the GetForegroundWindow and GetWindowText APIs in a timer loop to log window titles of active windows and there seemed to be absolutely no problem getting access to window titles of elevated applications... same should be true for process names. What methods are you currently using to get at window titles and process names? What exactly is the technical reason for the current limitation?

To be clear: I'm not using Vista. This is not about not being able to take screenshots of elevated applications' windows. I'm currently running TS on Windows 2000 and the problem is merely that when running unelevated it does not record the process names and window titles of elevated applications so I could not filter by them or mark them as productive. The screenshots of the elevated apps are created just fine.

Cheers,

Oliver

Re: log processes started via RunAs

AtliB 11-14-2007, 16:32
Hi Oliver.

We too are using the Win32 methods you mentioned for getting the foreground window and its caption. However, for getting the path of the currently running process, we use .NET's:
Process.GetProcessById(processId).MainModule.FileName

I know it's working properly for the Win32 call (getting the caption) but it's failing on the Process.MainModule.Filename call. Quick experimenting and looking into Win32 methods for extracting the .exe filename didn't reveal a simple way to do this (nor is it obvious if that would fail for the same security reasons).

If you have any simple solution for this, we'd be happy to incorporate it :)

Thanks
Atli

Re: log processes started via RunAs

animal 11-15-2007, 4:05
Well, I managed to get my Delphi-written sample Win32 app working alright in this respect by using some code from the open source JEDI Code Library. By googling for "get process name from window handle" I also found this example in C++ on CodeProject, which to me appears to follow the same approach as the JCL code I used, namely:

Get the process id using GetWindowThreadProcessId(GetForegroundWindow)
compile a list of running processes
locate the PID from step 1 in the list
extract the process name from the list entry

No idea why accessing the process directly by PID doesn't work but all examples I found so far seem to use this approach, though none of them explicitly notes they work with evelated processes. I only know that the JCL implementation does.

Hope this helps.

Cheers,

Oliver

Re: log processes started via RunAs

animal 11-15-2007, 4:20
BTW: a few entries down in those Google results there appears to be a solution in C#, also implementing the indirect approach via the process list:

http://www.thescripts.com/forum/post417226-2.html
(in thread context: http://www.thescripts.com/forum/post417226.html)

In a reply to that post there's also mention of a Win32 API called GetWindowModuleFileName which supposedly does all this in a single step.

Hope this helps.

Cheers,

Oliver

Re: log processes started via RunAs

AtliB 11-15-2007, 16:19
Ah, so close...

I tried that API call... and it worked fine... but only on the executing process!

According to:
http://support.microsoft.com/?id=228469

GetWindowModuleFileName and GetModuleFileName correctly retrieve information about windows and modules in the calling process. In Windows 95 and 98, they return information about windows and modules in other processes. However, in Windows NT 4.0 and Windows 2000, since module handles are no longer shared by all processes as they were on Windows 95 and 98, these APIs do not return information about windows and modules in other processes.

Another thing I did was to create a non-admin user, logged in as him (while also logged in as admin - using fast-user-switching). I fired up Task Manager and was not able to see the running processes from the admin user. Using the admin profile, I was able to see all processes (including the non-admin users).

This makes me believe that there isn't any good solution to this except for running TimeSnapper with elevated privileges :(

Like I said, if you can prove me wrong - I'll be a happy man and include that functionality! :)

Thanks
Atli

Re: log processes started via RunAs

animal 11-16-2007, 1:18

AtliB wrote:
This makes me believe that there isn't any good solution to this except for running TimeSnapper with elevated privileges :(

Like I said, if you can prove me wrong - I'll be a happy man and include that functionality! :)

Well, there are quite a lot of examples around that prove it can be done. Just look at SysInternals' ProcessExplorer. There are some details about processes it cannot retrieve when the process is elevated but the process name and its caption do not belong to these.

Also, as I wrote before, I wrote a sample program myself that proves that it can be done. I have now tested it on Windows 2000, 2003, XP and Vista and it works fine throughout. It checks process name and caption of the active window every 500ms and logs both to a list box if that particular combination was not logged before (i.e. there will be no duplicate entries in the list). One notable thing is that for evelated processes you do not get the full path name but only the process file name. I can send the compiled exe to you if you like.

Not sure whether the source code would be of much use to you though as it's written in Delphi. There's not much I wrote myself anyway. The relevant bits are the functions from the JCL which I already posted the links to earlier on this thread.

Also, did you look at the C# example from thescripts.com and the C++ example on CodeProject I linked to? I don't have Visual Studio installed so I couldn't test them myself but they did look promising I thought...

Cheers,

Oliver

Re: log processes started via RunAs

AtliB 11-19-2007, 17:58
OK thanks Oliver, I'll take a look at what I can do.

I did take a look at all the links you posted, but I was looking for a way to get the whole filename, not just the process name which might explain the confusion :)
It would be better to get the whole filename since we're using it in some places like the Productivity Wizard to get the icon and additional information about the .exe and also in the reports.

Thanks again!
Atli

Re: log processes started via RunAs

AtliB 02-08-2008, 16:33
Oliver, better late than never! Can you take it for another spin using the v. 2.7.0.2 which just got released? TimeSnapper should record the window caption as well as the process name. The process name will be a little different, not the full path and not the extension - but I guess that should be fine.

If you are logged on as a standard user in Vista (as opposed to admin), you will have to complete either step below:

The user you are running as requires read permission on the following reg key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

What needs to happen is that the permissions on the Perflib registry key needs to be set. Execute your registry editor and navigate to the registry key. Then select the Edit|Permissions menu item and add your user there.

or simpler:

you could add your user to the "Performance Monitor Users" user group.

Best regards,
Atli

Re: log processes started via RunAs

animal 06-11-2008, 6:25
Sorry for taking so unbelievably long to respond... (wasn't it you who said better late than never? ;) ). The original issue has been less of a one for me recently as the IDE addin that forced me to run my IDE as admin had been fixed in the meantime...

So anyway, yes, this works like a charm! :) I still use quite a few programs with elevated privileges and it's great that I can now have them be recorded as "productive".

Thanks!

Oliver

Re: log processes started via RunAs

AtliB 06-11-2008, 15:23
Thanks for the confirmation! :)

Atli