[ACCEPTED]-EnumProcesses() vs CreateToolhelp32Snapshot()-winapi

Accepted answer
Score: 20

Here are results from few functions:

  • EnumProcesses: 16 msec, 207 processes
  • CreateToolhelp32Snapshot: 141 msec (16 msec), 207 processes
  • WTSEnumerateProcesses: 16 msec, 207 processes
  • WTSEnumerateProcessesEx(WTS_CURRENT_SESSION): 16 msec, 98 processes
  • WTSEnumerateProcessesEx(WTS_ANY_SESSION): 16 msec, 207 processes

Machine 24 is running Windows 8 with UAC enabled, user 23 is not elevated (e.g. have no access to 22 system processes). Main process is 32-bit, machine 21 is 64-bit, so plenty of 64-bit processes 20 around. There are: session 0 for system, session 19 1 for current console user, session 2 for 18 another fast-switch user. 207 processes 17 in total (these are both 32- and 64-bit, including 16 pseudo "system" process) - 207 is also confirmed 15 by Process Explorer. Among these 207 processes: 23 14 processes are for session 2, 98 processes 13 - for session 1, and remaining - for session 12 0.

Results are for cycle of 10 single function 11 call. They are 100% reproducible on each 10 run.

For CreateToolhelp32Snapshot the main 9 result is call of CreateToolhelp32Snapshot 8 itself, and second result (in brackets) is 7 cycle with First/Next.

I think people confuse 6 "enumerate all processes" (get PIDs) and 5 "get name of process/exe". The first one 4 ("enumerate") has no issues with x32/x64 3 cross-bitness whatsoever. But the latter 2 one ("get name") does have issues - not 1 every method will work across x32/x64.

Score: 19

I think they are pretty much the same in 24 terms of performance (and results) as they 23 both call the same underlying NT API, though 22 CreateToolhelp32Snapshot() may have a slight 21 overhead as it creates a section object 20 and copies all the information to it whereas 19 EnumProcesses()/EnumProcessModules() works 18 directly with user-supplied buffers. The 17 difference is probably negligible in real 16 world performance, though.

I slightly prefer 15 EnumProcesses() as it is (IMO) a simpler 14 API to use, but CreateToolhelp32Snapshot() returns 13 more information if you need it. The only 12 downside to EnumProcesses() is that you 11 are supposed to call it in a loop as you 10 may not have allocated a large enough buffer; CreateToolhelp32Snapshot() takes 9 care of the buffer management for you. In 8 practice I just allocate a buffer on the 7 stack large enough to hold 1024 process 6 ids or module handles; so far I have not 5 come across a system where either of these 4 limits was even remotely close to being 3 reached. Of course we said the same thing 2 about MAX_PATH not so long ago and now we 1 are running into problems with that...

Score: 5

I don’t remember exactly, but unlike CreateToolhelp32Snapshot(), EnumProcesses() has 4 one of two or both limitations: 1. Doesn’t 3 enumerate 64-bit processes if called from 2 32-bit process on x64 OS. 2. Doesn’t enumerate 1 elevated processes on Vista and Win7.

Score: 4

CreateToolhelp32Snapshot FTW. EnumProcesses 3 doesnt enumerate all system processes like 2 all instances of svchost.exe at least on 1 Win XP.

Score: 1

IMO the key difference is in priviledges 8 requirements. I've seen cases in which EnumProcesses() would 7 fail, but CreateToolhelp32Snapshot() ran perfectly well.

So once I 6 needed to write code that would detect a 5 certain process on a system and react appropriately. I 4 wrote it using EnumProcesses() and it worked fine on my 3 machine, but not on testers' machines. I 2 just rewrote it with CreateToolhelp32Snapshot() and I've never heard 1 of any problems with it anymore.

More Related questions