From aldeid
Jump to navigation Jump to search


Used to execute another program. If malware creates a new process, you will need to analyze the new process as well.

Note This function is provided only for compatibility with 16-bit Windows. Applications should use the CreateProcess function.


  _In_  LPCSTR lpCmdLine,
  _In_  UINT uCmdShow


lpCmdLine [in]
The command line (file name plus optional parameters) for the application to be executed. If the name of the executable file in the lpCmdLine parameter does not contain a directory path, the system searches for the executable file in this sequence:
  1. The directory from which the application loaded.
  2. The current directory.
  3. The Windows system directory. The GetSystemDirectory function retrieves the path of this directory.
  4. The Windows directory. The GetWindowsDirectory function retrieves the path of this directory.
  5. The directories listed in the PATH environment variable.
uCmdShow [in]
The display options. For a list of the acceptable values, see the description of the nCmdShow parameter of the ShowWindow function.

Return value

If the function succeeds, the return value is greater than 31.

If the function fails, the return value is one of the following error values.

Return code/value Description
0 The system is out of memory or resources.
ERROR_BAD_FORMAT The .exe file is invalid.
ERROR_FILE_NOT_FOUND The specified file was not found.
ERROR_PATH_NOT_FOUND The specified path was not found.