Getting PID of CSRSS

I thought this one might help some people out there… Instead of scanning all processes, or getting special exports in ntdll.dll or similar ideas. There’s a two-lines code to do it. The trick is to get the desktop’s handle to window, which really belongs to CSRSS and then get its process.

DWORD pid, tid;
tid = GetWindowThreadProcessId(GetDesktopWindow(), &pid);

Also you get the thread id by product, and this code is compatible since 95. I guess it might be handy.

One Response to “Getting PID of CSRSS”

  1. Mario Vilas says:

    Nice :)

    Anyway, I’m pretty sure it works in Windows 9X. I think back then the desktop window was handled by explorer.exe. Then again I don’t think W9X had any CSRSS.EXE in the first place.

Leave a Reply