From aldeid
Jump to navigation Jump to search


Used to begin enumerating processes from a previous call to CreateToolhelp32Snapshot.

Malware often enumerates through processes to find a process to inject into.


BOOL WINAPI Process32First(
  _In_     HANDLE hSnapshot,
  _Inout_  LPPROCESSENTRY32 lppe


hSnapshot [in]
A handle to the snapshot returned from a previous call to the CreateToolhelp32Snapshot function.
lppe [in, out]
A pointer to a PROCESSENTRY32 structure. It contains process information such as the name of the executable file, the process identifier, and the process identifier of the parent process.

Return value

Returns TRUE if the first entry of the process list has been copied to the buffer or FALSE otherwise. The ERROR_NO_MORE_FILES error value is returned by the GetLastError function if no processes exist or the snapshot does not contain process information.


  • The calling application must set the dwSize member of PROCESSENTRY32 to the size, in bytes, of the structure.
  • To retrieve information about other processes recorded in the same snapshot, use the Process32Next function.