Can we check if a running application or a program uses .Net framework to execute itself?
- 7Crank up Process Monitor and if the executable is highlighted yellow it's a managed application. Hurr.user1228– user12282010-01-17 05:20:31 +00:00Commented Jan 17, 2010 at 5:20
- 3Will, I think you meant Process Explorer ;)Mohib Sheth– Mohib Sheth2012-05-07 10:00:46 +00:00Commented May 7, 2012 at 10:00
Add a comment |
7 Answers
There's a trick I once learned from Scott Hanselman's list of interview questions. You can easily list all programs running .NET in command prompt by using:
tasklist /m "mscor*"
It will list all processes that have mscor* amongst their loaded modules.
We can apply the same method in code:
public static bool IsDotNetProcess(this Process process) { var modules = process.Modules.Cast<ProcessModule>().Where( m => m.ModuleName.StartsWith("mscor", StringComparison.InvariantCultureIgnoreCase)); return modules.Any(); } 8 Comments
Dykam
Note this does leave out possible Mono processes.
Igal Tabachnik
@Dykam Isn't mono's runtime also called mscorlib.dll ?
Dykam
The runtime is just
mono. Or mono.exe on windows. .Net uses PE to let the OS use mscorlib.dll to start the app, but mono doesn't do such a trick. And the real core lib is called corlib.dll I think, as it isn't MS's corlib.
Hans Passant
I don't think this will work anymore for .NET 4.0, the DLLs were renamed. You'll also get false positives for apps that host the CLR, Visual Studio for example.
Brian Rasmussen
The .NET 4.0 runtime is called clr.dll.
|
Use the CLR COM interfaces ICorPublish and ICorPublishProcess. The easiest way to do this from C# is to borrow some code from SharpDevelop's debugger, and do the following:
ICorPublish publish = new ICorPublish(); ICorPublishProcess process; process = publish.GetProcess(PidToCheck); if (process == null || !process.IsManaged) { // Not managed. } else { // Managed. } 
2 Comments
stakx - no longer contributing
I was wondering, if you do this from C#, under which conditions will this check report "not managed"?
Eugene Podskal
It seems that it will only consider managed those processes that have the same CLR used - social.msdn.microsoft.com/Forums/en-US/…. So one should be careful with it.
Use System.Reflection.Assembly.LoadFrom function to load the .exe file. This function will throw exception if you try to load binary file that is not .NET assembly.
5 Comments
lubos hasko
what difference does it make? running application doesn't have .exe file?
John Saunders
In that case, please show him how to find the EXE file corresponding to the running program; and show him how to deal with the possibility his process can't get read access to the .EXE file.
lubos hasko
Yes, you are right, my answer is not complete and bulletproof and I'm sorry for sarcastic comment.
Drakarah
This doesn't work if the hosting process is x64 and the exe is x86 only.
Awesomni.Codes
Keep in mind. Loading an assembly allows this assembly to execute code inside your appdomain.
I know this is about a million years too late, but in case it helps - my favourite method to figure out if an exe is using .net is to run MSIL disassembler against it which comes with .net SDK. If a .net exe you indeed have, you'll get a nice graphical breakdown of its contents; if a plain old win32 exe it be, you'll get a message telling you so.
1 Comment
Neil Schaper
Good answer. Specifically, run ILDASM.EXE, which is automatically installed with Visual Studio. See: msdn.microsoft.com/en-us/library/f7dy01k1(v=vs.110).aspx To launch ILDASM from Win8/VS2013: Start -> Visual Studio Tools --> Developer Command Prompt for VS2013. From Win8/VS2012: Start -> Developer Command -> Developer Command Prompt for VS2012. From Win7: All Programs -> Microsoft Visual Studio -> Visual Studio Tools -> Visual Studio Command Prompt.
Programmatically you'd get the starting image name using Win32 API like NtQueryInformationProcess, or in .Net use System.Diagnostics.Process.GetProcesses() and read Process.StartInfo.FileName.
Then open and decode the PE headers of that image using details prescribed in the MSDN article below:
http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
Caveats: will only detect .NET built assemblies e.g. won't detect Win32 EXEs dynamically hosting CLR using CorHost APIs.
Comments
A list of running .NET processes is available in Performance Monitor. Just run perfmon and in the Monitoring Tools >> Performance Monitor click + Icon or press Ctrl+N. In the list of available counters, at the beginning of the list find .NET CLR Jit and select a sub item. You will see a list of .NET process in Instances of selected object list.
If you want a method in C# without running your app in Administrator mode, there is solution introduced by Process Hacker tool.
According to Process Hacker / .NET Tools / native.c :
Most .NET processes have a handle open to a section named \BaseNamedObjects\Cor_Private_IPCBlock(v4)<ProcessId>. This is the same object used by the ICorPublish::GetProcess function. Instead of calling that function, we simply check for the existence of that section object. This means: * Better performance. * No need for admin rights to get .NET status of processes owned by other users.
Getting a list of Process handles in C# is a bit of hard work. Instead you can download the DotNetTools.dll from Process Hacker plugins folder and create an extern method to use PhGetProcessIsDotNet function.
