I'm currently working on getting my malware removal tool FreeFixer up and running on
the Windows Vista platform. FreeFixer woks by scanning the registry and the file system to find unwanted software.
It is also enumerating
processes, their file names and their modules. This is were I ran into some minor problem. On Windows XP I had previously
obtained the SeDebugPrivilege privilege (defined as
SE_DEBUG_NAME) and then opened
all processes with the
OpenProcess system call and passing
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ as the
However, on Windows Vista OpenProcess failed on Audiodg.exe, with the
Windows Vista introduced a new type of process, the
protected process. Protected processes are there
enhance support for digital rights management functionality in Windows Vista.
A typical protected process does not allow
injecting a thread into the process,
accessing virtual memory of process,
debugging the process,
duplicate handles of the process,
changing the quota or working set of a process.
You cannot open a typical protected process with
Luckily Vista introduced the
PROCESS_QUERY_LIMITED_INFORMATION, which is a limited version of the
PROCESS_QUERY_INFORMATION access right. This will allow you to open the process with
and at least get the full path of the protected process. I think - please correct me if I'm wrong - that
it's not possible to enumerate the modules of audiodg.exe from without the help of a kernel-mode component?