Data Structures
struct	_PH_PROCESS_ITEM

struct	_PH_PROCESS_RECORD

struct	_PH_SERVICE_ITEM

struct	_PH_SERVICE_MODIFIED_DATA

struct	_PH_NETWORK_ITEM

struct	_PH_MODULE_ITEM

struct	_PH_MODULE_PROVIDER

struct	_PH_THREAD_ITEM

struct	_PH_THREAD_PROVIDER

struct	_PH_HANDLE_ITEM

struct	_PH_HANDLE_PROVIDER

struct	_PH_MEMORY_ITEM

struct	_PH_MEMORY_ITEM_LIST

Macros
#define	PH_RECORD_MAX_USAGE

#define	PH_ENABLE_VERIFY_CACHE

#define	DPCS_PROCESS_ID ((HANDLE)(LONG_PTR)-2)

#define	INTERRUPTS_PROCESS_ID ((HANDLE)(LONG_PTR)-3)

#define	PH_IS_REAL_PROCESS_ID(ProcessId) ((LONG_PTR)(ProcessId) > 0)

#define	PH_IS_FAKE_PROCESS_ID(ProcessId) ((LONG_PTR)(ProcessId) < 0)

#define	PH_PROCESS_ITEM_REMOVED 0x1

#define	PH_INTEGRITY_STR_LEN 10

#define	PH_INTEGRITY_STR_LEN_1 (PH_INTEGRITY_STR_LEN + 1)

#define	PH_PROCESS_RECORD_DEAD 0x1

#define	PH_PROCESS_RECORD_STAT_REF 0x2

#define	PH_NETWORK_OWNER_INFO_SIZE 16

#define	PH_HANDLE_FILE_SHARED_READ 0x1

#define	PH_HANDLE_FILE_SHARED_WRITE 0x2

#define	PH_HANDLE_FILE_SHARED_DELETE 0x4

#define	PH_HANDLE_FILE_SHARED_MASK 0x7

#define	PH_QUERY_MEMORY_IGNORE_FREE 0x1

#define	PH_QUERY_MEMORY_REGION_TYPE 0x2

#define	PH_QUERY_MEMORY_WS_COUNTERS 0x4

Typedefs
typedef enum _VERIFY_RESULT	VERIFY_RESULT

typedef struct _PH_PROCESS_RECORD *	PPH_PROCESS_RECORD

typedef struct _PH_PROCESS_ITEM	PH_PROCESS_ITEM

typedef struct _PH_PROCESS_ITEM *	PPH_PROCESS_ITEM

typedef struct _PH_PROCESS_RECORD	PH_PROCESS_RECORD

typedef struct _PH_VERIFY_FILE_INFO *	PPH_VERIFY_FILE_INFO

typedef struct _PH_SERVICE_ITEM	PH_SERVICE_ITEM

typedef struct _PH_SERVICE_ITEM *	PPH_SERVICE_ITEM

typedef struct _PH_SERVICE_MODIFIED_DATA	PH_SERVICE_MODIFIED_DATA

typedef struct _PH_SERVICE_MODIFIED_DATA *	PPH_SERVICE_MODIFIED_DATA

typedef enum _PH_SERVICE_CHANGE	PH_SERVICE_CHANGE

typedef enum _PH_SERVICE_CHANGE *	PPH_SERVICE_CHANGE

typedef struct _PH_NETWORK_ITEM	PH_NETWORK_ITEM

typedef struct _PH_NETWORK_ITEM *	PPH_NETWORK_ITEM

typedef struct _PH_MODULE_ITEM	PH_MODULE_ITEM

typedef struct _PH_MODULE_ITEM *	PPH_MODULE_ITEM

typedef struct _PH_MODULE_PROVIDER	PH_MODULE_PROVIDER

typedef struct _PH_MODULE_PROVIDER *	PPH_MODULE_PROVIDER

typedef struct _PH_THREAD_ITEM	PH_THREAD_ITEM

typedef struct _PH_THREAD_ITEM *	PPH_THREAD_ITEM

typedef enum _PH_KNOWN_PROCESS_TYPE	PH_KNOWN_PROCESS_TYPE

typedef struct _PH_THREAD_PROVIDER	PH_THREAD_PROVIDER

typedef struct _PH_THREAD_PROVIDER *	PPH_THREAD_PROVIDER

typedef struct _PH_HANDLE_ITEM	PH_HANDLE_ITEM

typedef struct _PH_HANDLE_ITEM *	PPH_HANDLE_ITEM

typedef struct _PH_HANDLE_PROVIDER	PH_HANDLE_PROVIDER

typedef struct _PH_HANDLE_PROVIDER *	PPH_HANDLE_PROVIDER

typedef enum _PH_MEMORY_REGION_TYPE	PH_MEMORY_REGION_TYPE

typedef struct _PH_MEMORY_ITEM	PH_MEMORY_ITEM

typedef struct _PH_MEMORY_ITEM *	PPH_MEMORY_ITEM

typedef struct _PH_MEMORY_ITEM_LIST	PH_MEMORY_ITEM_LIST

typedef struct _PH_MEMORY_ITEM_LIST *	PPH_MEMORY_ITEM_LIST

Functions
BOOLEAN	PhProcessProviderInitialization (VOID)

PHAPPAPI PPH_STRING NTAPI	PhGetClientIdName (_In_ PCLIENT_ID ClientId)

PHAPPAPI PPH_STRING NTAPI	PhGetClientIdNameEx (_In_ PCLIENT_ID ClientId, _In_opt_ PPH_STRING ProcessName)

PHAPPAPI PWSTR NTAPI	PhGetProcessPriorityClassString (_In_ ULONG PriorityClass)

PPH_PROCESS_ITEM	PhCreateProcessItem (_In_ HANDLE ProcessId)
	Creates a process item.

PHAPPAPI PPH_PROCESS_ITEM NTAPI	PhReferenceProcessItem (_In_ HANDLE ProcessId)
	Finds and references a process item.

PHAPPAPI VOID NTAPI	PhEnumProcessItems (_Out_opt_ PPH_PROCESS_ITEM **ProcessItems, _Out_ PULONG NumberOfProcessItems)
	Enumerates the process items.

VERIFY_RESULT	PhVerifyFileWithAdditionalCatalog (_In_ PPH_VERIFY_FILE_INFO Information, _In_opt_ PWSTR PackageFullName, _Out_opt_ PPH_STRING *SignerName)

VERIFY_RESULT	PhVerifyFileCached (_In_ PPH_STRING FileName, _In_opt_ PWSTR PackageFullName, _Out_opt_ PPH_STRING *SignerName, _In_ BOOLEAN CachedOnly)
	Verifies a file's digital signature, using a cached result if possible.

PHAPPAPI BOOLEAN NTAPI	PhGetStatisticsTime (_In_opt_ PPH_PROCESS_ITEM ProcessItem, _In_ ULONG Index, _Out_ PLARGE_INTEGER Time)
	Retrieves a time value recorded by the statistics system.

PHAPPAPI PPH_STRING NTAPI	PhGetStatisticsTimeString (_In_opt_ PPH_PROCESS_ITEM ProcessItem, _In_ ULONG Index)

VOID	PhFlushProcessQueryData (_In_ BOOLEAN SendModifiedEvent)

VOID	PhProcessProviderUpdate (_In_ PVOID Object)

PHAPPAPI VOID NTAPI	PhReferenceProcessRecord (_In_ PPH_PROCESS_RECORD ProcessRecord)

PHAPPAPI BOOLEAN NTAPI	PhReferenceProcessRecordSafe (_In_ PPH_PROCESS_RECORD ProcessRecord)

PHAPPAPI VOID NTAPI	PhReferenceProcessRecordForStatistics (_In_ PPH_PROCESS_RECORD ProcessRecord)

PHAPPAPI VOID NTAPI	PhDereferenceProcessRecord (_In_ PPH_PROCESS_RECORD ProcessRecord)

PHAPPAPI PPH_PROCESS_RECORD NTAPI	PhFindProcessRecord (_In_opt_ HANDLE ProcessId, _In_ PLARGE_INTEGER Time)
	Finds a process record.

VOID	PhPurgeProcessRecords (VOID)
	Deletes unused process records.

PHAPPAPI PPH_PROCESS_ITEM NTAPI	PhReferenceProcessItemForParent (_In_ HANDLE ParentProcessId, _In_ HANDLE ProcessId, _In_ PLARGE_INTEGER CreateTime)

PHAPPAPI PPH_PROCESS_ITEM NTAPI	PhReferenceProcessItemForRecord (_In_ PPH_PROCESS_RECORD Record)

BOOLEAN	PhServiceProviderInitialization (VOID)

PPH_SERVICE_ITEM	PhCreateServiceItem (_In_opt_ LPENUM_SERVICE_STATUS_PROCESS Information)

PHAPPAPI PPH_SERVICE_ITEM NTAPI	PhReferenceServiceItem (_In_ PWSTR Name)

VOID	PhMarkNeedsConfigUpdateServiceItem (_In_ PPH_SERVICE_ITEM ServiceItem)

PHAPPAPI PH_SERVICE_CHANGE NTAPI	PhGetServiceChange (_In_ PPH_SERVICE_MODIFIED_DATA Data)

VOID	PhUpdateProcessItemServices (_In_ PPH_PROCESS_ITEM ProcessItem)

VOID	PhServiceProviderUpdate (_In_ PVOID Object)

BOOLEAN	PhNetworkProviderInitialization (VOID)

PPH_NETWORK_ITEM	PhCreateNetworkItem (VOID)

PHAPPAPI PPH_NETWORK_ITEM NTAPI	PhReferenceNetworkItem (_In_ ULONG ProtocolType, _In_ PPH_IP_ENDPOINT LocalEndpoint, _In_ PPH_IP_ENDPOINT RemoteEndpoint, _In_ HANDLE ProcessId)

PPH_STRING	PhGetHostNameFromAddress (_In_ PPH_IP_ADDRESS Address)

VOID	PhNetworkProviderUpdate (_In_ PVOID Object)

PHAPPAPI PWSTR NTAPI	PhGetProtocolTypeName (_In_ ULONG ProtocolType)

PHAPPAPI PWSTR NTAPI	PhGetTcpStateName (_In_ ULONG State)

BOOLEAN	PhModuleProviderInitialization (VOID)

PPH_MODULE_PROVIDER	PhCreateModuleProvider (_In_ HANDLE ProcessId)

PPH_MODULE_ITEM	PhCreateModuleItem (VOID)

PPH_MODULE_ITEM	PhReferenceModuleItem (_In_ PPH_MODULE_PROVIDER ModuleProvider, _In_ PVOID BaseAddress)

VOID	PhDereferenceAllModuleItems (_In_ PPH_MODULE_PROVIDER ModuleProvider)

VOID	PhModuleProviderUpdate (_In_ PVOID Object)

BOOLEAN	PhThreadProviderInitialization (VOID)

PPH_THREAD_PROVIDER	PhCreateThreadProvider (_In_ HANDLE ProcessId)

VOID	PhRegisterThreadProvider (_In_ PPH_THREAD_PROVIDER ThreadProvider, _Out_ PPH_CALLBACK_REGISTRATION CallbackRegistration)

VOID	PhUnregisterThreadProvider (_In_ PPH_THREAD_PROVIDER ThreadProvider, _In_ PPH_CALLBACK_REGISTRATION CallbackRegistration)

VOID	PhSetTerminatingThreadProvider (_Inout_ PPH_THREAD_PROVIDER ThreadProvider)

VOID	PhLoadSymbolsThreadProvider (_In_ PPH_THREAD_PROVIDER ThreadProvider)

PPH_THREAD_ITEM	PhCreateThreadItem (_In_ HANDLE ThreadId)

PPH_THREAD_ITEM	PhReferenceThreadItem (_In_ PPH_THREAD_PROVIDER ThreadProvider, _In_ HANDLE ThreadId)

VOID	PhDereferenceAllThreadItems (_In_ PPH_THREAD_PROVIDER ThreadProvider)

PHAPPAPI PPH_STRING NTAPI	PhGetThreadPriorityWin32String (_In_ LONG PriorityWin32)

VOID	PhThreadProviderInitialUpdate (_In_ PPH_THREAD_PROVIDER ThreadProvider)

BOOLEAN	PhHandleProviderInitialization (VOID)

PPH_HANDLE_PROVIDER	PhCreateHandleProvider (_In_ HANDLE ProcessId)

PPH_HANDLE_ITEM	PhCreateHandleItem (_In_opt_ PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handle)

PPH_HANDLE_ITEM	PhReferenceHandleItem (_In_ PPH_HANDLE_PROVIDER HandleProvider, _In_ HANDLE Handle)

VOID	PhDereferenceAllHandleItems (_In_ PPH_HANDLE_PROVIDER HandleProvider)

NTSTATUS	PhEnumHandlesGeneric (_In_ HANDLE ProcessId, _In_ HANDLE ProcessHandle, _Out_ PSYSTEM_HANDLE_INFORMATION_EX *Handles, _Out_ PBOOLEAN FilterNeeded)
	Enumerates all handles in a process.

VOID	PhHandleProviderUpdate (_In_ PVOID Object)

BOOLEAN	PhMemoryProviderInitialization (VOID)

VOID	PhGetMemoryProtectionString (_In_ ULONG Protection, _Out_writes_(17) PWSTR String)

PWSTR	PhGetMemoryStateString (_In_ ULONG State)

PWSTR	PhGetMemoryTypeString (_In_ ULONG Type)

PPH_MEMORY_ITEM	PhCreateMemoryItem (VOID)

PHAPPAPI VOID NTAPI	PhDeleteMemoryItemList (_In_ PPH_MEMORY_ITEM_LIST List)

PHAPPAPI PPH_MEMORY_ITEM NTAPI	PhLookupMemoryItemList (_In_ PPH_MEMORY_ITEM_LIST List, _In_ PVOID Address)

PHAPPAPI NTSTATUS NTAPI	PhQueryMemoryItemList (_In_ HANDLE ProcessId, _In_ ULONG Flags, _Out_ PPH_MEMORY_ITEM_LIST List)

Variables
PPH_OBJECT_TYPE	PhProcessItemType

PHAPPAPI PH_CALLBACK	PhProcessAddedEvent

PHAPPAPI PH_CALLBACK	PhProcessModifiedEvent

PHAPPAPI PH_CALLBACK	PhProcessRemovedEvent

PHAPPAPI PH_CALLBACK	PhProcessesUpdatedEvent

PPH_LIST	PhProcessRecordList

PH_QUEUED_LOCK	PhProcessRecordListLock

ULONG	PhStatisticsSampleCount

BOOLEAN	PhEnableProcessQueryStage2

BOOLEAN	PhEnablePurgeProcessRecords

BOOLEAN	PhEnableCycleCpuUsage

PVOID	PhProcessInformation

ULONG	PhProcessInformationSequenceNumber

SYSTEM_PERFORMANCE_INFORMATION	PhPerfInformation

PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION	PhCpuInformation

SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION	PhCpuTotals

ULONG	PhTotalProcesses

ULONG	PhTotalThreads

ULONG	PhTotalHandles

ULONG64	PhCpuTotalCycleDelta

PLARGE_INTEGER	PhCpuIdleCycleTime

PLARGE_INTEGER	PhCpuSystemCycleTime

PH_UINT64_DELTA	PhCpuIdleCycleDelta

PH_UINT64_DELTA	PhCpuSystemCycleDelta

FLOAT	PhCpuKernelUsage

FLOAT	PhCpuUserUsage

PFLOAT	PhCpusKernelUsage

PFLOAT	PhCpusUserUsage

PH_UINT64_DELTA	PhCpuKernelDelta

PH_UINT64_DELTA	PhCpuUserDelta

PH_UINT64_DELTA	PhCpuIdleDelta

PPH_UINT64_DELTA	PhCpusKernelDelta

PPH_UINT64_DELTA	PhCpusUserDelta

PPH_UINT64_DELTA	PhCpusIdleDelta

PH_UINT64_DELTA	PhIoReadDelta

PH_UINT64_DELTA	PhIoWriteDelta

PH_UINT64_DELTA	PhIoOtherDelta

PH_CIRCULAR_BUFFER_FLOAT	PhCpuKernelHistory

PH_CIRCULAR_BUFFER_FLOAT	PhCpuUserHistory

PPH_CIRCULAR_BUFFER_FLOAT	PhCpusKernelHistory

PPH_CIRCULAR_BUFFER_FLOAT	PhCpusUserHistory

PH_CIRCULAR_BUFFER_ULONG64	PhIoReadHistory

PH_CIRCULAR_BUFFER_ULONG64	PhIoWriteHistory

PH_CIRCULAR_BUFFER_ULONG64	PhIoOtherHistory

PH_CIRCULAR_BUFFER_ULONG	PhCommitHistory

PH_CIRCULAR_BUFFER_ULONG	PhPhysicalHistory

PH_CIRCULAR_BUFFER_ULONG	PhMaxCpuHistory

PH_CIRCULAR_BUFFER_ULONG	PhMaxIoHistory

PH_CIRCULAR_BUFFER_FLOAT	PhMaxCpuUsageHistory

PH_CIRCULAR_BUFFER_ULONG64	PhMaxIoReadOtherHistory

PH_CIRCULAR_BUFFER_ULONG64	PhMaxIoWriteHistory

PPH_OBJECT_TYPE	PhServiceItemType

PHAPPAPI PH_CALLBACK	PhServiceAddedEvent

PHAPPAPI PH_CALLBACK	PhServiceModifiedEvent

PHAPPAPI PH_CALLBACK	PhServiceRemovedEvent

PHAPPAPI PH_CALLBACK	PhServicesUpdatedEvent

BOOLEAN	PhEnableServiceNonPoll

PPH_OBJECT_TYPE	PhNetworkItemType

PHAPPAPI PH_CALLBACK	PhNetworkItemAddedEvent

PHAPPAPI PH_CALLBACK	PhNetworkItemModifiedEvent

PHAPPAPI PH_CALLBACK	PhNetworkItemRemovedEvent

PHAPPAPI PH_CALLBACK	PhNetworkItemsUpdatedEvent

BOOLEAN	PhEnableNetworkProviderResolve

PPH_OBJECT_TYPE	PhModuleProviderType

PPH_OBJECT_TYPE	PhModuleItemType

PPH_OBJECT_TYPE	PhThreadProviderType

PPH_OBJECT_TYPE	PhThreadItemType

PPH_OBJECT_TYPE	PhHandleProviderType

PPH_OBJECT_TYPE	PhHandleItemType

PPH_OBJECT_TYPE	PhMemoryItemType

Macro Definition Documentation

#define DPCS_PROCESS_ID ((HANDLE)(LONG_PTR)-2)

Definition at line 80 of file providers.h.

#define INTERRUPTS_PROCESS_ID ((HANDLE)(LONG_PTR)-3)

Definition at line 81 of file providers.h.

#define PH_ENABLE_VERIFY_CACHE

Definition at line 7 of file providers.h.

#define PH_HANDLE_FILE_SHARED_DELETE 0x4

Definition at line 788 of file providers.h.

#define PH_HANDLE_FILE_SHARED_MASK 0x7

Definition at line 789 of file providers.h.

#define PH_HANDLE_FILE_SHARED_READ 0x1

Definition at line 786 of file providers.h.

#define PH_HANDLE_FILE_SHARED_WRITE 0x2

Definition at line 787 of file providers.h.

#define PH_INTEGRITY_STR_LEN 10

Definition at line 94 of file providers.h.

#define PH_INTEGRITY_STR_LEN_1 (PH_INTEGRITY_STR_LEN + 1)

Definition at line 95 of file providers.h.

#define PH_IS_FAKE_PROCESS_ID ( ProcessId ) ((LONG_PTR)(ProcessId) < 0)

Definition at line 88 of file providers.h.

#define PH_IS_REAL_PROCESS_ID ( ProcessId ) ((LONG_PTR)(ProcessId) > 0)

Definition at line 85 of file providers.h.

#define PH_NETWORK_OWNER_INFO_SIZE 16

Definition at line 514 of file providers.h.

#define PH_PROCESS_ITEM_REMOVED 0x1

Definition at line 91 of file providers.h.

#define PH_PROCESS_RECORD_DEAD 0x1

Definition at line 235 of file providers.h.

#define PH_PROCESS_RECORD_STAT_REF 0x2

Definition at line 237 of file providers.h.

#define PH_QUERY_MEMORY_IGNORE_FREE 0x1

Definition at line 994 of file providers.h.

#define PH_QUERY_MEMORY_REGION_TYPE 0x2

Definition at line 995 of file providers.h.

#define PH_QUERY_MEMORY_WS_COUNTERS 0x4

Definition at line 996 of file providers.h.

#define PH_RECORD_MAX_USAGE

Definition at line 6 of file providers.h.

Typedef Documentation

typedef struct _PH_HANDLE_ITEM PH_HANDLE_ITEM

typedef struct _PH_HANDLE_PROVIDER PH_HANDLE_PROVIDER

typedef enum _PH_KNOWN_PROCESS_TYPE PH_KNOWN_PROCESS_TYPE

Definition at line 701 of file providers.h.

typedef struct _PH_MEMORY_ITEM PH_MEMORY_ITEM

typedef struct _PH_MEMORY_ITEM_LIST PH_MEMORY_ITEM_LIST

typedef enum _PH_MEMORY_REGION_TYPE PH_MEMORY_REGION_TYPE

typedef struct _PH_MODULE_ITEM PH_MODULE_ITEM

typedef struct _PH_MODULE_PROVIDER PH_MODULE_PROVIDER

typedef struct _PH_NETWORK_ITEM PH_NETWORK_ITEM

typedef struct _PH_PROCESS_ITEM PH_PROCESS_ITEM

typedef struct _PH_PROCESS_RECORD PH_PROCESS_RECORD

typedef enum _PH_SERVICE_CHANGE PH_SERVICE_CHANGE

typedef struct _PH_SERVICE_ITEM PH_SERVICE_ITEM

typedef struct _PH_SERVICE_MODIFIED_DATA PH_SERVICE_MODIFIED_DATA

typedef struct _PH_THREAD_ITEM PH_THREAD_ITEM

typedef struct _PH_THREAD_PROVIDER PH_THREAD_PROVIDER

typedef struct _PH_HANDLE_ITEM * PPH_HANDLE_ITEM

typedef struct _PH_HANDLE_PROVIDER * PPH_HANDLE_PROVIDER

typedef struct _PH_MEMORY_ITEM * PPH_MEMORY_ITEM

typedef struct _PH_MEMORY_ITEM_LIST * PPH_MEMORY_ITEM_LIST

typedef struct _PH_MODULE_ITEM * PPH_MODULE_ITEM

typedef struct _PH_MODULE_PROVIDER * PPH_MODULE_PROVIDER

typedef struct _PH_NETWORK_ITEM * PPH_NETWORK_ITEM

typedef struct _PH_PROCESS_ITEM * PPH_PROCESS_ITEM

typedef struct _PH_PROCESS_RECORD * PPH_PROCESS_RECORD

Definition at line 99 of file providers.h.

typedef enum _PH_SERVICE_CHANGE * PPH_SERVICE_CHANGE

typedef struct _PH_SERVICE_ITEM * PPH_SERVICE_ITEM

typedef struct _PH_SERVICE_MODIFIED_DATA * PPH_SERVICE_MODIFIED_DATA

typedef struct _PH_THREAD_ITEM * PPH_THREAD_ITEM

typedef struct _PH_THREAD_PROVIDER * PPH_THREAD_PROVIDER

typedef struct _PH_VERIFY_FILE_INFO* PPH_VERIFY_FILE_INFO

Definition at line 307 of file providers.h.

typedef enum _VERIFY_RESULT VERIFY_RESULT

Definition at line 98 of file providers.h.

Enumeration Type Documentation

enum _PH_MEMORY_REGION_TYPE

Enumerator:

UnknownRegion
CustomRegion
UnusableRegion
MappedFileRegion
UserSharedDataRegion
PebRegion
Peb32Region
TebRegion
Teb32Region
StackRegion
Stack32Region
HeapRegion
Heap32Region
HeapSegmentRegion
HeapSegment32Region
UnknownRegion
CustomRegion
UnusableRegion
MappedFileRegion
UserSharedDataRegion
PebRegion
Peb32Region
TebRegion
Teb32Region
StackRegion
Stack32Region
HeapRegion
Heap32Region
HeapSegmentRegion
HeapSegment32Region

Definition at line 867 of file providers.h.

enum _PH_SERVICE_CHANGE

Enumerator:

ServiceStarted
ServiceContinued
ServicePaused
ServiceStopped
ServiceStarted
ServiceContinued
ServicePaused
ServiceStopped

Definition at line 456 of file providers.h.

Function Documentation

PPH_HANDLE_ITEM PhCreateHandleItem ( _In_opt_ PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handle )

Definition at line 116 of file hndlprv.c.

PPH_HANDLE_PROVIDER PhCreateHandleProvider ( _In_ HANDLE ProcessId )

Definition at line 56 of file hndlprv.c.

PPH_MEMORY_ITEM PhCreateMemoryItem ( VOID )

Definition at line 132 of file memprv.c.

PPH_MODULE_ITEM PhCreateModuleItem ( VOID )

Definition at line 173 of file modprv.c.

PPH_MODULE_PROVIDER PhCreateModuleProvider ( _In_ HANDLE ProcessId )

Definition at line 69 of file modprv.c.

PPH_NETWORK_ITEM PhCreateNetworkItem ( VOID )

Definition at line 177 of file netprv.c.

PPH_PROCESS_ITEM PhCreateProcessItem ( _In_ HANDLE ProcessId )

Creates a process item.

Definition at line 421 of file procprv.c.

PPH_SERVICE_ITEM PhCreateServiceItem ( _In_opt_ LPENUM_SERVICE_STATUS_PROCESS Information )

Definition at line 122 of file srvprv.c.

PPH_THREAD_ITEM PhCreateThreadItem ( _In_ HANDLE ThreadId )

Definition at line 378 of file thrdprv.c.

PPH_THREAD_PROVIDER PhCreateThreadProvider ( _In_ HANDLE ProcessId )

Definition at line 115 of file thrdprv.c.

PHAPPAPI VOID NTAPI PhDeleteMemoryItemList ( _In_ PPH_MEMORY_ITEM_LIST List )

Definition at line 173 of file memprv.c.

VOID PhDereferenceAllHandleItems ( _In_ PPH_HANDLE_PROVIDER HandleProvider )

Definition at line 219 of file hndlprv.c.

VOID PhDereferenceAllModuleItems ( _In_ PPH_MODULE_PROVIDER ModuleProvider )

Definition at line 257 of file modprv.c.

VOID PhDereferenceAllThreadItems ( _In_ PPH_THREAD_PROVIDER ThreadProvider )

Definition at line 463 of file thrdprv.c.

PHAPPAPI VOID NTAPI PhDereferenceProcessRecord ( _In_ PPH_PROCESS_RECORD ProcessRecord )

Definition at line 2621 of file procprv.c.

NTSTATUS PhEnumHandlesGeneric	(	_In_ HANDLE	ProcessId,
		_In_ HANDLE	ProcessHandle,
		_Out_ PSYSTEM_HANDLE_INFORMATION_EX *	Handles,
		_Out_ PBOOLEAN	FilterNeeded
	)

Enumerates all handles in a process.

Parameters

ProcessId	The ID of the process.
ProcessHandle	A handle to the process.
Handles	A variable which receives a pointer to a buffer containing information about the handles.
FilterNeeded	A variable which receives a boolean indicating whether the handle information needs to be filtered by process ID.

Definition at line 287 of file hndlprv.c.

PHAPPAPI VOID NTAPI PhEnumProcessItems	(	_Out_opt_ PPH_PROCESS_ITEM **	ProcessItems,
		_Out_ PULONG	NumberOfProcessItems
	)

Enumerates the process items.

Parameters

ProcessItems	A variable which receives an array of pointers to process items. You must free the buffer with PhFree() when you no longer need it.
NumberOfProcessItems	A variable which receives the number of process items returned in ProcessItems.

Definition at line 584 of file procprv.c.

PHAPPAPI PPH_PROCESS_RECORD NTAPI PhFindProcessRecord	(	_In_opt_ HANDLE	ProcessId,
		_In_ PLARGE_INTEGER	Time
	)

Finds a process record.

Parameters

ProcessId	The ID of the process.
Time	A time in which the process was active.

Returns: The newest record older than Time, or NULL if the record could not be found. You must call PhDereferenceProcessRecord() when you no longer need the record.

Definition at line 2668 of file procprv.c.

VOID PhFlushProcessQueryData ( _In_ BOOLEAN SendModifiedEvent )

Definition at line 1763 of file procprv.c.

PHAPPAPI PPH_STRING NTAPI PhGetClientIdName ( _In_ PCLIENT_ID ClientId )

Definition at line 319 of file procprv.c.

PHAPPAPI PPH_STRING NTAPI PhGetClientIdNameEx	(	_In_ PCLIENT_ID	ClientId,
		_In_opt_ PPH_STRING	ProcessName
	)

Definition at line 341 of file procprv.c.

PPH_STRING PhGetHostNameFromAddress ( _In_ PPH_IP_ADDRESS Address )

Definition at line 329 of file netprv.c.

VOID PhGetMemoryProtectionString	(	_In_ ULONG	Protection,
		_Out_writes_(17) PWSTR	String
	)

Definition at line 45 of file memprv.c.

PWSTR PhGetMemoryStateString ( _In_ ULONG State )

Definition at line 104 of file memprv.c.

PWSTR PhGetMemoryTypeString ( _In_ ULONG Type )

Definition at line 118 of file memprv.c.

PHAPPAPI PWSTR NTAPI PhGetProcessPriorityClassString ( _In_ ULONG PriorityClass )

Definition at line 395 of file procprv.c.

PHAPPAPI PWSTR NTAPI PhGetProtocolTypeName ( _In_ ULONG ProtocolType )

Definition at line 789 of file netprv.c.

PHAPPAPI PH_SERVICE_CHANGE NTAPI PhGetServiceChange ( _In_ PPH_SERVICE_MODIFIED_DATA Data )

Definition at line 245 of file srvprv.c.

PHAPPAPI BOOLEAN NTAPI PhGetStatisticsTime	(	_In_opt_ PPH_PROCESS_ITEM	ProcessItem,
		_In_ ULONG	Index,
		_Out_ PLARGE_INTEGER	Time
	)

Retrieves a time value recorded by the statistics system.

Parameters

ProcessItem	A process item to synchronize with, or NULL if no synchronization is necessary.
Index	The history index.
Time	A variable which receives the time at Index.

Returns: TRUE if the function succeeded, otherwise FALSE if ProcessItem was specified and Index is too far into the past for that process item.

Definition at line 1707 of file procprv.c.

PHAPPAPI PPH_STRING NTAPI PhGetStatisticsTimeString	(	_In_opt_ PPH_PROCESS_ITEM	ProcessItem,
		_In_ ULONG	Index
	)

Definition at line 1743 of file procprv.c.

PHAPPAPI PWSTR NTAPI PhGetTcpStateName ( _In_ ULONG State )

Definition at line 808 of file netprv.c.

PHAPPAPI PPH_STRING NTAPI PhGetThreadPriorityWin32String ( _In_ LONG PriorityWin32 )

Definition at line 666 of file thrdprv.c.

BOOLEAN PhHandleProviderInitialization ( VOID )

Definition at line 46 of file hndlprv.c.

VOID PhHandleProviderUpdate ( _In_ PVOID Object )

Definition at line 456 of file hndlprv.c.

VOID PhLoadSymbolsThreadProvider ( _In_ PPH_THREAD_PROVIDER ThreadProvider )

Definition at line 287 of file thrdprv.c.

PHAPPAPI PPH_MEMORY_ITEM NTAPI PhLookupMemoryItemList	(	_In_ PPH_MEMORY_ITEM_LIST	List,
		_In_ PVOID	Address
	)

Definition at line 191 of file memprv.c.

VOID PhMarkNeedsConfigUpdateServiceItem ( _In_ PPH_SERVICE_ITEM ServiceItem )

Definition at line 230 of file srvprv.c.

BOOLEAN PhMemoryProviderInitialization ( VOID )

Definition at line 36 of file memprv.c.

BOOLEAN PhModuleProviderInitialization ( VOID )

Definition at line 59 of file modprv.c.

VOID PhModuleProviderUpdate ( _In_ PVOID Object )

Definition at line 339 of file modprv.c.

BOOLEAN PhNetworkProviderInitialization ( VOID )

Definition at line 153 of file netprv.c.

VOID PhNetworkProviderUpdate ( _In_ PVOID Object )

Definition at line 508 of file netprv.c.

BOOLEAN PhProcessProviderInitialization ( VOID )

Definition at line 245 of file procprv.c.

VOID PhProcessProviderUpdate ( _In_ PVOID Object )

Definition at line 1847 of file procprv.c.

VOID PhPurgeProcessRecords ( VOID )

Deletes unused process records.

Definition at line 2755 of file procprv.c.

PHAPPAPI NTSTATUS NTAPI PhQueryMemoryItemList	(	_In_ HANDLE	ProcessId,
		_In_ ULONG	Flags,
		_Out_ PPH_MEMORY_ITEM_LIST	List
	)

Definition at line 637 of file memprv.c.

PPH_HANDLE_ITEM PhReferenceHandleItem	(	_In_ PPH_HANDLE_PROVIDER	HandleProvider,
		_In_ HANDLE	Handle
	)

Definition at line 200 of file hndlprv.c.

PPH_MODULE_ITEM PhReferenceModuleItem	(	_In_ PPH_MODULE_PROVIDER	ModuleProvider,
		_In_ PVOID	BaseAddress
	)

Definition at line 223 of file modprv.c.

PHAPPAPI PPH_NETWORK_ITEM NTAPI PhReferenceNetworkItem	(	_In_ ULONG	ProtocolType,
		_In_ PPH_IP_ENDPOINT	LocalEndpoint,
		_In_ PPH_IP_ENDPOINT	RemoteEndpoint,
		_In_ HANDLE	ProcessId
	)

Definition at line 240 of file netprv.c.

PHAPPAPI PPH_PROCESS_ITEM NTAPI PhReferenceProcessItem ( _In_ HANDLE ProcessId )

Finds and references a process item.

Parameters

ProcessId The process ID of the process item.

Returns: The found process item.

Definition at line 557 of file procprv.c.

PHAPPAPI PPH_PROCESS_ITEM NTAPI PhReferenceProcessItemForParent	(	_In_ HANDLE	ParentProcessId,
		_In_ HANDLE	ProcessId,
		_In_ PLARGE_INTEGER	CreateTime
	)

Definition at line 2819 of file procprv.c.

PHAPPAPI PPH_PROCESS_ITEM NTAPI PhReferenceProcessItemForRecord ( _In_ PPH_PROCESS_RECORD Record )

Definition at line 2847 of file procprv.c.

PHAPPAPI VOID NTAPI PhReferenceProcessRecord ( _In_ PPH_PROCESS_RECORD ProcessRecord )

Definition at line 2596 of file procprv.c.

PHAPPAPI VOID NTAPI PhReferenceProcessRecordForStatistics ( _In_ PPH_PROCESS_RECORD ProcessRecord )

Definition at line 2610 of file procprv.c.

PHAPPAPI BOOLEAN NTAPI PhReferenceProcessRecordSafe ( _In_ PPH_PROCESS_RECORD ProcessRecord )

Definition at line 2603 of file procprv.c.

PHAPPAPI PPH_SERVICE_ITEM NTAPI PhReferenceServiceItem ( _In_ PWSTR Name )

Definition at line 208 of file srvprv.c.

PPH_THREAD_ITEM PhReferenceThreadItem	(	_In_ PPH_THREAD_PROVIDER	ThreadProvider,
		_In_ HANDLE	ThreadId
	)

Definition at line 429 of file thrdprv.c.

VOID PhRegisterThreadProvider	(	_In_ PPH_THREAD_PROVIDER	ThreadProvider,
		_Out_ PPH_CALLBACK_REGISTRATION	CallbackRegistration
	)

Definition at line 206 of file thrdprv.c.

BOOLEAN PhServiceProviderInitialization ( VOID )

Definition at line 107 of file srvprv.c.

VOID PhServiceProviderUpdate ( _In_ PVOID Object )

Definition at line 436 of file srvprv.c.

VOID PhSetTerminatingThreadProvider ( _Inout_ PPH_THREAD_PROVIDER ThreadProvider )

Definition at line 224 of file thrdprv.c.

BOOLEAN PhThreadProviderInitialization ( VOID )

Definition at line 91 of file thrdprv.c.

VOID PhThreadProviderInitialUpdate ( _In_ PPH_THREAD_PROVIDER ThreadProvider )

Definition at line 693 of file thrdprv.c.

VOID PhUnregisterThreadProvider	(	_In_ PPH_THREAD_PROVIDER	ThreadProvider,
		_In_ PPH_CALLBACK_REGISTRATION	CallbackRegistration
	)

Definition at line 215 of file thrdprv.c.

VOID PhUpdateProcessItemServices ( _In_ PPH_PROCESS_ITEM ProcessItem )

Definition at line 296 of file srvprv.c.

VERIFY_RESULT PhVerifyFileCached	(	_In_ PPH_STRING	FileName,
		_In_opt_ PWSTR	PackageFullName,
		_Out_opt_ PPH_STRING *	SignerName,
		_In_ BOOLEAN	CachedOnly
	)

Verifies a file's digital signature, using a cached result if possible.

Parameters

FileName	A file name.
ProcessItem	An associated process item.
SignerName	A variable which receives a pointer to a string containing the signer name. You must free the string using PhDereferenceObject() when you no longer need it. Note that the signer name may be NULL if it is not valid.
CachedOnly	Specify TRUE to fail the function when no cached result exists.

Returns: A VERIFY_RESULT value.

Definition at line 731 of file procprv.c.

VERIFY_RESULT PhVerifyFileWithAdditionalCatalog	(	_In_ PPH_VERIFY_FILE_INFO	Information,
		_In_opt_ PWSTR	PackageFullName,
		_Out_opt_ PPH_STRING *	SignerName
	)

Definition at line 656 of file procprv.c.

Variable Documentation

PH_CIRCULAR_BUFFER_ULONG PhCommitHistory

Definition at line 226 of file procprv.c.

PH_UINT64_DELTA PhCpuIdleCycleDelta

Definition at line 189 of file procprv.c.

PLARGE_INTEGER PhCpuIdleCycleTime

Definition at line 187 of file procprv.c.

PH_UINT64_DELTA PhCpuIdleDelta

Definition at line 200 of file procprv.c.

PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION PhCpuInformation

Definition at line 177 of file procprv.c.

PH_UINT64_DELTA PhCpuKernelDelta

Definition at line 198 of file procprv.c.

PH_CIRCULAR_BUFFER_FLOAT PhCpuKernelHistory

Definition at line 214 of file procprv.c.

FLOAT PhCpuKernelUsage

Definition at line 193 of file procprv.c.

PPH_UINT64_DELTA PhCpusIdleDelta

Definition at line 204 of file procprv.c.

PPH_UINT64_DELTA PhCpusKernelDelta

Definition at line 202 of file procprv.c.

PPH_CIRCULAR_BUFFER_FLOAT PhCpusKernelHistory

Definition at line 218 of file procprv.c.

PFLOAT PhCpusKernelUsage

Definition at line 195 of file procprv.c.

PPH_UINT64_DELTA PhCpusUserDelta

Definition at line 203 of file procprv.c.

PPH_CIRCULAR_BUFFER_FLOAT PhCpusUserHistory

Definition at line 219 of file procprv.c.

PFLOAT PhCpusUserUsage

Definition at line 196 of file procprv.c.

PH_UINT64_DELTA PhCpuSystemCycleDelta

Definition at line 190 of file procprv.c.

PLARGE_INTEGER PhCpuSystemCycleTime

Definition at line 188 of file procprv.c.

ULONG64 PhCpuTotalCycleDelta

Definition at line 186 of file procprv.c.

SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION PhCpuTotals

Definition at line 178 of file procprv.c.

PH_UINT64_DELTA PhCpuUserDelta

Definition at line 199 of file procprv.c.

PH_CIRCULAR_BUFFER_FLOAT PhCpuUserHistory

Definition at line 215 of file procprv.c.

FLOAT PhCpuUserUsage

Definition at line 194 of file procprv.c.

BOOLEAN PhEnableCycleCpuUsage

Definition at line 173 of file procprv.c.

BOOLEAN PhEnableNetworkProviderResolve

Definition at line 136 of file netprv.c.

BOOLEAN PhEnableProcessQueryStage2

Definition at line 171 of file procprv.c.

BOOLEAN PhEnablePurgeProcessRecords

Definition at line 172 of file procprv.c.

BOOLEAN PhEnableServiceNonPoll

Definition at line 96 of file srvprv.c.

PPH_OBJECT_TYPE PhHandleItemType

Definition at line 44 of file hndlprv.c.

PPH_OBJECT_TYPE PhHandleProviderType

Definition at line 43 of file hndlprv.c.

PH_UINT64_DELTA PhIoOtherDelta

Definition at line 208 of file procprv.c.

PH_CIRCULAR_BUFFER_ULONG64 PhIoOtherHistory

Definition at line 224 of file procprv.c.

PH_UINT64_DELTA PhIoReadDelta

Definition at line 206 of file procprv.c.

PH_CIRCULAR_BUFFER_ULONG64 PhIoReadHistory

Definition at line 222 of file procprv.c.

PH_UINT64_DELTA PhIoWriteDelta

Definition at line 207 of file procprv.c.

PH_CIRCULAR_BUFFER_ULONG64 PhIoWriteHistory

Definition at line 223 of file procprv.c.

PH_CIRCULAR_BUFFER_ULONG PhMaxCpuHistory

Definition at line 229 of file procprv.c.

PH_CIRCULAR_BUFFER_FLOAT PhMaxCpuUsageHistory

PH_CIRCULAR_BUFFER_ULONG PhMaxIoHistory

Definition at line 230 of file procprv.c.

PH_CIRCULAR_BUFFER_ULONG64 PhMaxIoReadOtherHistory

PH_CIRCULAR_BUFFER_ULONG64 PhMaxIoWriteHistory

PPH_OBJECT_TYPE PhMemoryItemType

Definition at line 34 of file memprv.c.

PPH_OBJECT_TYPE PhModuleItemType

Definition at line 57 of file modprv.c.

PPH_OBJECT_TYPE PhModuleProviderType

Definition at line 56 of file modprv.c.

PHAPPAPI PH_CALLBACK PhNetworkItemAddedEvent

PHAPPAPI PH_CALLBACK PhNetworkItemModifiedEvent

PHAPPAPI PH_CALLBACK PhNetworkItemRemovedEvent

PHAPPAPI PH_CALLBACK PhNetworkItemsUpdatedEvent

PPH_OBJECT_TYPE PhNetworkItemType

Definition at line 126 of file netprv.c.

SYSTEM_PERFORMANCE_INFORMATION PhPerfInformation

Definition at line 176 of file procprv.c.

PH_CIRCULAR_BUFFER_ULONG PhPhysicalHistory

Definition at line 227 of file procprv.c.

PHAPPAPI PH_CALLBACK PhProcessAddedEvent

PHAPPAPI PH_CALLBACK PhProcessesUpdatedEvent

PVOID PhProcessInformation

Definition at line 175 of file procprv.c.

ULONG PhProcessInformationSequenceNumber

PPH_OBJECT_TYPE PhProcessItemType

Definition at line 154 of file procprv.c.

PHAPPAPI PH_CALLBACK PhProcessModifiedEvent

PPH_LIST PhProcessRecordList

Definition at line 167 of file procprv.c.

PH_QUEUED_LOCK PhProcessRecordListLock

Definition at line 168 of file procprv.c.

PHAPPAPI PH_CALLBACK PhProcessRemovedEvent

PHAPPAPI PH_CALLBACK PhServiceAddedEvent

PPH_OBJECT_TYPE PhServiceItemType

Definition at line 86 of file srvprv.c.

PHAPPAPI PH_CALLBACK PhServiceModifiedEvent

PHAPPAPI PH_CALLBACK PhServiceRemovedEvent

PHAPPAPI PH_CALLBACK PhServicesUpdatedEvent

ULONG PhStatisticsSampleCount

Definition at line 170 of file procprv.c.

PPH_OBJECT_TYPE PhThreadItemType

Definition at line 86 of file thrdprv.c.

PPH_OBJECT_TYPE PhThreadProviderType

Definition at line 85 of file thrdprv.c.

ULONG PhTotalHandles

Definition at line 181 of file procprv.c.

ULONG PhTotalProcesses

Definition at line 179 of file procprv.c.

ULONG PhTotalThreads

Definition at line 180 of file procprv.c.

Enumerations
enum	_PH_SERVICE_CHANGE { ServiceStarted, ServiceContinued, ServicePaused, ServiceStopped, ServiceStarted, ServiceContinued, ServicePaused, ServiceStopped }

enum	_PH_MEMORY_REGION_TYPE { UnknownRegion, CustomRegion, UnusableRegion, MappedFileRegion, UserSharedDataRegion, PebRegion, Peb32Region, TebRegion, Teb32Region, StackRegion, Stack32Region, HeapRegion, Heap32Region, HeapSegmentRegion, HeapSegment32Region, UnknownRegion, CustomRegion, UnusableRegion, MappedFileRegion, UserSharedDataRegion, PebRegion, Peb32Region, TebRegion, Teb32Region, StackRegion, Stack32Region, HeapRegion, Heap32Region, HeapSegmentRegion, HeapSegment32Region }

Data Structures

Macros

Typedefs

Enumerations

Functions

Variables

Macro Definition Documentation

Typedef Documentation

Enumeration Type Documentation

Function Documentation

Variable Documentation