Cannot FindWindow parent process' window, neither terminate parent

Question

I have a parent process, that spawns a child process. The child process' aim is to restart the parent process by terminating it, waiting a few seconds, and then starting it again. I have no way of detecting if the parent runs with admin privileges or not, but the child runs without admin privileges. The parent has a hidden window that has a unique window class, by which the window can be found and WM_CLOSE sent to it. In certain installations, however, the child's call to FindWindow() with the class' identifier fails - no window is found. However, enumerating all processes in the system, via EnumProcesses(), then opening each process, calling GetModuleFileNameEx() successfully finds the parent's process by its executable path, which is known and fixed. However, calling TerminateProcess() on the process handle returns an access denied error (5). Setting SeDebugPrivilege fails, because the child does not have escalated privileges. The above situation occurs only on a few test machines, on most machines it works as expected - the window can be found, and trying to kill the parent via TerminateProcess() succeeds. My question is - is there some isolation mode between the child and parent configured on some machines, so that FindWindow() and TerminateProcess() fail, or is there another reason for that?

Answer 1

I think this link may help you a lot :) GetParentProcessID

This source just teaches you that the function from ntdll NtQueryInformationProcess stores the parent ID as InheritedFromUniqueProcessId in the PROCESS_BASIC_INFORMATION structure