How to tell which process owns a window?

[VanguardLH]

Say I get a popup on the screen. Its titlebar gives no information as
to which program opened that window. As a result, I'm not sure that I
want to commit any action suggested in that window because I don't know
what program is making those suggestions. I'd like to find out which
process opened that window?

I need a utility that shows me the owner process of a window. From
there, either I'll recognize the process or can use SysInternals'
Process Explorer to investigate (like maybe it's a process rolled up
under svchost.exe). Since I would be opening this utility which would
then steal away focus for its UI to show the list of windows and which
process owned each, it would probably need a dynamically updating
display so I could click back on the titlebar of the problematic window
to change focus back to it and then look back in the utility to see
which window handle had the current focus along with the process that
opened it. It would probably also need an always-on-top option to
ensure that I could see its list of windows when I changed focus back to
the problematic window (so selecting another window didn't obliterate
the utility's UI by being on top of it).

 

[Pegasus \(MVP\)]

Say I get a popup on the screen. Its titlebar gives no information as
to which program opened that window. As a result, I'm not sure that I
want to commit any action suggested in that window because I don't know
what program is making those suggestions. I'd like to find out which
process opened that window?

I need a utility that shows me the owner process of a window. From
there, either I'll recognize the process or can use SysInternals'
Process Explorer to investigate (like maybe it's a process rolled up
under svchost.exe). Since I would be opening this utility which would
then steal away focus for its UI to show the list of windows and which
process owned each, it would probably need a dynamically updating
display so I could click back on the titlebar of the problematic window
to change focus back to it and then look back in the utility to see
which window handle had the current focus along with the process that
opened it. It would probably also need an always-on-top option to
ensure that I could see its list of windows when I changed focus back to
the problematic window (so selecting another window didn't obliterate
the utility's UI by being on top of it).

You could run siw.exe, then click "Running Processes" and look for the name
of the popup in the "Window Title" column. This will give you an "Image
Name" and a PID (Process ID).
http://www.gtopala.com/siw-download.html

 

[VanguardLH]

You could run siw.exe, then click "Running Processes" and look for the name
of the popup in the "Window Title" column. This will give you an "Image
Name" and a PID (Process ID).
http://www.gtopala.com/siw-download.html

Alas, with this utility, the window would actually need to have a title
to find the process that owned it. The problematic window doesn't have
a title. As is seen in siw.exe, the "Window Title" will be blank for
most processes (because they don't have a window) so I wouldn't know
which ones didn't have a window and which ones had a window but a blank
window title.

I was looking more for something that would update its process list and
highlight the one for which I currently selected its owned window. I
could then click around on the visible windows and the utility's display
would change to show which process owned each window as it gained focus.

Thanks for the suggestion.

 

[Pegasus \(MVP\)]

Alas, with this utility, the window would actually need to have a title
to find the process that owned it. The problematic window doesn't have
a title. As is seen in siw.exe, the "Window Title" will be blank for
most processes (because they don't have a window) so I wouldn't know
which ones didn't have a window and which ones had a window but a blank
window title.

I was looking more for something that would update its process list and
highlight the one for which I currently selected its owned window. I
could then click around on the visible windows and the utility's display
would change to show which process owned each window as it gained focus.

Thanks for the suggestion.

The blank title should be no big problem. If you make a note of the exact
time when the window popped up then you can identify it with SIW by its
"Creation Time" date/time stamp.

 

[Kelly]

Also see Process Explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

--

All the Best and Happy Mardi Gras,
Kelly (MS-MVP/DTS&XP)

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[VanguardLH]

Also see Process Explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Ah, I already have that. Never thought about adding a "Window Title"
column (not included by default). Well, that's works the same as
Pegasus' mention of SIW. However, as mentioned, the problem is that
there can be other processes with opened windows that have no titles so
there would be no way to differentiate between them. A window must have
a handle to target that object, paint it, and manipulate it but its
title can be blank. With the display in SIW and Process Explorer, I
wouldn't know if a blank entry for Window Title for a process meant it
didn't have a window or if it had a window but with a blank title.

Pegasus says SIW can show a create datestamp for the window so I'll test
it in a virtual machine. I don't see how to get a window create
datestamp in Process Explorer (it's not in the list of available columns
to add/delete in its UI).

 

[VanguardLH]

The blank title should be no big problem. If you make a note of the exact
time when the window popped up then you can identify it with SIW by its
"Creation Time" date/time stamp.

That looks to give the create timestamp of the process, not a new window
object that it just created. That process could be running for hours,
days, or weeks before creating a window object (to paint it) and then
sometime later setting its visible attribute to On (to show it) for an
untitled alert window.

A process can open a window long after it has been started. It can
create the window but as non-visible (so it can paint it without flicker
or wait to populate it until completed). Sometime later it can change
the visible attribute to On to actually display that window on the
screen.

I'll give a more concrete example. Say you install an anti-virus
program. It doesn't leave a window constantly open on the screen. It
is possible it simply makes it GUI window hidden (visible attribute =
Off). That not likely for alert popups where the window object is
created sometime long after the anti-virus core and optionally its GUI
process have been loaded. Some days or weeks later, you see a popup
with no title but whose body says that there was an error in the script
and asks if you want to "submit it" but no indication of who opened that
window, to who or where some data gets sent, or why. It doesn't look
like a window that you've seen before from any of your applications. It
might be from the anti-virus software but you can't tell. The window
isn't titled and you've never before seen this type of error alert. So
how do you find out who opened that window? A timestamp on the process
won't help because that process was loaded whenever was the last time
you booted Windows (and perhaps until after you login). However, if you
leave your host powered up and running Windows and logged in for 24x7,
those processes are days or weeks old. Also, no new processes show up
(even if you've been watching them) because one of them that has been
running all that time is the same one that opened the untitled window.

That's why I'm looking for a utility that when I click on a window to
give it focus will show me which process owns the window that just got
focus (or, at least, the one over which I hover the mouse). It would
grab the window's handle ID, show that, along with whatever process is
the owner of that window ID.

 

[VanguardLH]

To simplify (but strain a bit to cite a programming function), a process
opens a window (hWnd) which assigns a handle to it. A utility could
then use GetWindowThreadProcessID function to find out which process was
the owner of the hWnd handle. However, first you need to get the handle
ID. A utility that lets you select a window or selects whichever window
over which the mouse is hovering could get the handle for that window
and then use the GetWindowThreadProcessID to tell you who was the owner
of that window. See:

http://msdn.microsoft.com/en-us/library/ms633522(VS.85).aspx

No, I don't program but I'm dangerous enough to be able to find
programming info about such things. I found one code snippet at
http://stackoverflow.com/questions/...efilename-if-i-only-have-a-window-handle-hwnd
but that doesn't help me actually find a pre-compiled utility to do
that. I haven't done any programming in 20 years and really don't want
to get into it again.

I'm still looking when I've got some idle time. I've seen this in, for
example, WinRunner and can even use its raw functions to do this
interrogation but that is way outside my budget and doesn't really help
in a working system versus trying to compile a suite of actions in a
test case.

 

[VanguardLH]

To simplify (but strain a bit to cite a programming function), a process
opens a window (hWnd) which assigns a handle to it. A utility could
then use GetWindowThreadProcessID function to find out which process was
the owner of the hWnd handle. However, first you need to get the handle
ID. A utility that lets you select a window or selects whichever window
over which the mouse is hovering could get the handle for that window
and then use the GetWindowThreadProcessID to tell you who was the owner
of that window. See:

http://msdn.microsoft.com/en-us/library/ms633522(VS.85).aspx

No, I don't program but I'm dangerous enough to be able to find
programming info about such things. I found one code snippet at
http://stackoverflow.com/questions/...efilename-if-i-only-have-a-window-handle-hwnd
but that doesn't help me actually find a pre-compiled utility to do
that. I haven't done any programming in 20 years and really don't want
to get into it again.

I'm still looking when I've got some idle time. I've seen this in, for
example, WinRunner and can even use its raw functions to do this
interrogation but that is way outside my budget and doesn't really help
in a working system versus trying to compile a suite of actions in a
test case.

I might've found one that is usable. When I saw this, I recall using
Spy++ (http://msdn.microsoft.com/en-us/library/aa315486(VS.60).aspx and
http://blogs.msdn.com/vcblog/archive/2007/01/16/spy-internals.aspx) back
when using VisualStudio but it's been over a decade since then. This
one is called WinSpector.

http://www.windows-spy.com/

I drag their crosshair to the window which selects it in their tree list
(in the Window pane); otherwise, it would take forever trying to figure
out which of those window objects was for the window that I was
interested in. Once I use their crosshair to select the titlebar of the
target window, and after it highlights which window that is in their
tree list, I can right-click and look at its properties. One of the
properties is the process owner.

Hopefully this works for whenever that dubious popup appears so I can
who the hell opened that window. I suspect it is one of the
anti-malware products installed on my host and will complain to them
about their stupidity in not identifying in the titlebar as to just who
opened that alert window. This is as stupid as showing an "Error"
window without identifying who opened it and with an OK button with no
explanation as to what was the error or what you are okaying. This one
seemed even more suspicious since it asked me to submit data to
somewhere it didn't specify. Yeah, right, like that's gonna happen.

 

[Pegasus \(MVP\)]

Pegasus (MVP) wrote:
That looks to give the create timestamp of the process, not a new window
object that it just created. That process could be running for hours,
days, or weeks before creating a window object (to paint it) and then
sometime later setting its visible attribute to On (to show it) for an
untitled alert window.

<snip>
Not on my machine. Before posting I created a popup-window, using my VB
Script editor that had been running all day. SIW showed the correct pop-up,
with the correct time stamp, and assigned it to the editor.

 

[Uwe Sieber]

I might've found one that is usable. When I saw this, I recall using
Spy++ (http://msdn.microsoft.com/en-us/library/aa315486(VS.60).aspx and
http://blogs.msdn.com/vcblog/archive/2007/01/16/spy-internals.aspx) back
when using VisualStudio but it's been over a decade since then. This
one is called WinSpector.

http://www.windows-spy.com/

I drag their crosshair to the window which selects it in their tree list

The ProcessExplorer has a similar corsshair tool.

Uwe

 

[VanguardLH]

The ProcessExplorer has a similar corsshair tool.

Uwe

Oooh, great. That utility just keeps getting better and better but it
takes some discovery to find everything it has. That Russ was a pretty
damn smart guy.