I thought this one might help some people out there… Instead of scanning all processes, or getting special exports in ntdll.dll or similar ideas. There’s a two-lines code to do it. The trick is to get the desktop’s handle to window, which really belongs to CSRSS and then get its process.
DWORD pid, tid;
tid = GetWindowThreadProcessId(GetDesktopWindow(), &pid);
Also you get the thread id by product, and this code is compatible since 95. I guess it might be handy.
Nice :)
Anyway, I’m pretty sure it works in Windows 9X. I think back then the desktop window was handled by explorer.exe. Then again I don’t think W9X had any CSRSS.EXE in the first place.