From: sarshah20 on
Hi All,

I have the following information:

- MSDOS applications are launched as threads of ntvdm.
- At kernel space, CreateProcess and NtVdmControl API is called when
ntvdm is launched.
- When ntvdm is launched, it does not show as part of its parameters
the file it is loading. Also, NtVdmControl does not provide this
information.

I need to do the following:
When i see an ntvdm process running, is it possible to find
programmatically which application(s) is running (as thread) and where
on file system its MSDOS executable is located?

Thanks for your help.
sarshah.
From: sarshah20 on
Here is what i have found so far. I hope that this would be helpful to
those who are seeking similar knowledge


This article is an excellent resource on how to monitor 16 bit and MS
DOS processes. Source code for the sample application is also
included.

hxxp://www.microsoft.com/msj/0898/hood0898.aspx

APIs are available in VDMDBG.DLL. So far my findings are that files
behind 16 bit processes can be tracked back using these APIs. However,
i am still looking to find a way to do this for MS DOS applications
running with ntvdm.exe.

I will update the post with further findings if any.
sarshah.


On Apr 19, 6:51 pm, sarsha...(a)yahoo.com wrote:
> Hi All,
>
> I have the following information:
>
> - MSDOS applications are launched as threads of ntvdm.
> - At kernel space, CreateProcess and NtVdmControl API is called when
> ntvdm is launched.
> - When ntvdm is launched, it does not show as part of its parameters
> the file it is loading. Also, NtVdmControl does not provide this
> information.
>
> I need to do the following:
> When i see an ntvdm process running, is it possible to find
> programmatically which application(s) is running (as thread) and where
> on file system its MSDOS executable is located?
>
> Thanks for your help.
> sarshah.