PSAPI学习笔记

转载自：http://bbs.pediy.com/showthread.php?threadid=15430

关键字：PSAPIFunctions
EmptyWorkingSet***

EnumDeviceDrivers**

EnumPageFiles

EnumProcesses*

EnumProcessModules*

GetDeviceDriverBaseName**

GetDeviceDriverFileName**

GetMappedFileName

GetModuleBaseName*

GetModuleFileNameEx*

GetModuleInformation*

GetPerformanceInfo

GetProcessImageFileName

GetProcessMemoryInfo*

GetWsChanges***

InitializeProcessForWsWatch***

QueryWorkingSet***
**红色为.NET新增**
实践应用：
1).枚举进程、模块以及相关信息
使用PSAPI：
EnumProcess,
EnumProcessModule,
GetProcessMemoryInfo,
GetModuleBaseName,
GetModuleFileNameEx,
GetModuleInformation,

#include<windows.h>
#include<fstream>
#include<iomanip>
#include"psapi.h"

#pragmacomment(lib,"psapi.lib")

usingnamespacestd;

intmain()
{
ofstreamfout("EnumProcessAndModule.txt");

DWORDdwProcessId[1024],cbNeededProcess;

if(!EnumProcesses(dwProcessId,sizeof(dwProcessId),&cbNeededProcess))
return0;

for(unsignedinti=0;i<(cbNeededProcess/sizeof(DWORD));i++)
{
charszProcessName[MAX_PATH]="unknown";

HANDLEhProcess=OpenProcess(PROCESS_QUERY_INFORMATION|
PROCESS_VM_READ,
FALSE,dwProcessId[i]);
if(NULL!=hProcess)
{
HMODULEhMods[1024];
DWORDcbNeededModule;

if(EnumProcessModules(hProcess,hMods,sizeof(hMods),&cbNeededModule))
{
PROCESS_MEMORY_COUNTERSProcessMemCounters;

GetProcessMemoryInfo(hProcess,&ProcessMemCounters,sizeof(ProcessMemCounters));

fout<<"ProcessId:"<<dwProcessId[i]<<endl;
fout<<"ProcessMemoryinformation:"<<endl;
fout<<"PageFaultCount:"<<hex<<setw(8)<<ProcessMemCounters.PageFaultCount		<<endl;
fout<<"PeakWorkingSetSize:"<<hex<<setw(8)<<ProcessMemCounters.PeakWorkingSetSize	<<endl;
fout<<"WorkingSetSize:"<<hex<<setw(8)<<ProcessMemCounters.WorkingSetSize		<<endl;
fout<<"QuotaPeakPagedPoolUsage:"<<hex<<setw(8)<<ProcessMemCounters.QuotaPeakPagedPoolUsage	<<endl;
fout<<"QuotaPagedPoolUsage:"<<hex<<setw(8)<<ProcessMemCounters.QuotaPagedPoolUsage	<<endl;
fout<<"QuotaPeakNonPagedPoolUsage:"<<hex<<setw(8)<<ProcessMemCounters.QuotaPeakNonPagedPoolUsage	<<endl;
fout<<"QuotaNonPagedPoolUsage:"<<hex<<setw(8)<<ProcessMemCounters.QuotaNonPagedPoolUsage	<<endl;
fout<<"PagefileUsage:"<<hex<<setw(8)<<ProcessMemCounters.PagefileUsage		<<endl;
fout<<"PeakPagefileUsage:"<<hex<<setw(8)<<ProcessMemCounters.PeakPagefileUsage		<<endl;

for(unsignedintj=0;j<(cbNeededModule/sizeof(DWORD));j++)
{
charszModuleName[MAX_PATH];

if(GetModuleFileNameEx(hProcess,hMods[j],szModuleName,sizeof(szModuleName)))
{
fout<<'\t'<<szModuleName<<setw(8)<<hex<<"(0x"<<hMods[j]<<")"<<endl;

MODULEINFOModuleInfo;

if(GetModuleInformation(hProcess,hMods[j],&ModuleInfo,sizeof(ModuleInfo)))
{
fout<<"\t\tBaseOfDll:"<<ModuleInfo.lpBaseOfDll<<endl;
fout<<"\t\tSizeOfImage:"<<ModuleInfo.SizeOfImage<<endl;
fout<<"\t\tEntryPoint:"<<ModuleInfo.EntryPoint<<endl;
}
}
}

fout<<endl<<endl;
}

CloseHandle(hProcess);
}

}

return0;
}

二.枚举设备驱动信息

使用PSAPI：

EnumDeviceDrivers

GetDeviceDriverBaseName

GetDeviceDriverFileName

#include<windows.h>
#include<fstream>
#include"psapi.h"

#pragmacomment(lib,"psapi.lib")

usingnamespacestd;

intmain()
{
ofstreamfout("DeviceDrivers.txt");

LPVOIDlpImageBase[1024];
DWORDcbNeeded;

if(EnumDeviceDrivers(lpImageBase,sizeof(lpImageBase),&cbNeeded))
{
for(unsignedinti=0;i<(cbNeeded/sizeof(LPVOID));i++)
{
charszDeviceDriveBaseName[128];
charszDeviceDriveFileName[1024];

GetDeviceDriverBaseName(lpImageBase[i],szDeviceDriveBaseName,sizeof(szDeviceDriveBaseName));
GetDeviceDriverFileName(lpImageBase[i],szDeviceDriveFileName,sizeof(szDeviceDriveFileName));

fout<<"BaseName:"<<szDeviceDriveBaseName<<endl;
fout<<"FileName:"<<szDeviceDriveFileName<<endl<<endl;
}
}

return0;
}

三.WorkingSetInfo

使用PSAPI：

EmptyWorkingSet
QueryWorkingSet
InitializeProcessForWsWatch
GetWsChanges
注：在执行下面这个程序的时候最好打开“任务管理器”，观察NOTEPAD.EXE的内存使用情况（在程序中是以NOTEPAD.EXE为例）

#include<windows.h>
#include<iostream>
#include<fstream>
#include"psapi.h"
#defineMAX_NUM10000

#pragmacomment(lib,"psapi.lib")

usingnamespacestd;

ofstreamfout("WorkingSetInformation.txt");

voidShowErrorMessage()
{
DWORDdwErrorCode=GetLastError();

HLOCALhLocal=NULL;
FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM|FORMAT_MESSAGE_ALLOCATE_BUFFER,
NULL,
dwErrorCode,
MAKELANGID(LANG_ENGLISH,SUBLANG_ENGLISH_US),
(PTSTR)&hLocal,
0,
NULL
);

fout<<'\t'<<"ErrorCode:"<<dwErrorCode		<<endl;
fout<<'\t'<<"ErrorMessage:"<<(char*)hLocal<<endl;

LocalFree(hLocal);
}

intmain()
{
//getnotepad'sPIDfrom"Windowstaskmaganent"

DWORDdwProcessId=6536;//changeit

HANDLEhProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);
if(InitializeProcessForWsWatch(hProcess))
{
/******************************
*QueryWorkingSet
*******************************/

PVOIDpv[MAX_NUM]={0};

if(!QueryWorkingSet(hProcess,pv,sizeof(pv)))
{
fout<<"QueryWorkingSetfailed!"<<endl;

ShowErrorMessage();
}
else
{
for(unsignedinti=0;i<MAX_NUM;i++)
{
if(pv[i]!=NULL)
{
if(i==0)
fout<<"TotalNum:"<<hex<<pv[i]<<endl;

else
fout<<'\t'<<i<<"pv:"<<hex<<pv[i]<<endl;
}
else
{
break;
}
}
}

fout<<endl<<endl;

/******************************
*GetWsChanges
*******************************/

cout<<"waitingfor5second..."<<endl;

Sleep(5000);

PSAPI_WS_WATCH_INFORMATIONWatchInfo[MAX_NUM]={0};

if(!GetWsChanges(hProcess,WatchInfo,sizeof(WatchInfo)))
{
fout<<"GetWsChangesfailed!"<<endl;

ShowErrorMessage();
}
else
{
for(unsignedinti=0;i<MAX_NUM;i++)
{
if(WatchInfo[i].FaultingPc!=NULL||WatchInfo[i].FaultingVa!=NULL)
{
fout<<"Pc:"<<WatchInfo[i].FaultingPc<<endl;
fout<<"Va:"<<WatchInfo[i].FaultingVa<<endl<<endl;
}
else
{
break;
}
}
}

fout<<endl<<endl;

/******************************
*EmptyWorkingSet
*******************************/

if(!EmptyWorkingSet(hProcess))
{
fout<<"EmptyWorkingSetfailed!"<<endl;

ShowErrorMessage();
}
else
{
PVOIDpv[MAX_NUM]={0};

if(!QueryWorkingSet(hProcess,pv,sizeof(pv)))
{
fout<<"EmptyWorkingSetfailed!"<<endl;

ShowErrorMessage();
}
else
{
for(unsignedinti=0;i<MAX_NUM;i++)
{
if(pv[i]!=NULL)
{
if(i==0)
fout<<"TotalNum:"<<hex<<pv[i]<<endl;

else
fout<<'\t'<<i<<"pv:"<<hex<<pv[i]<<endl;
}
else
{
break;
}
}
}
}
}

CloseHandle(hProcess);

return0;
}

说明：EmptyWorkingSet有整理内存的功能，对系统中的所有进程执行该功能，即可以实现内存整理。（内存整理工具也不过如此吧~v~)