 Toolhelp32 and PSAPI in Windows 2000
--------------------------------------
 Generally it is recommended to use Toolhelp32 in Windows 2000.
Both TH32 and PSAPI outputs depend on user rights: there are
differences between nonadmin, admin and admin with active debug
privilege.

 TH32
------
 TH32 (here Process32* and Module32* fns only) gives you always names
list of all processes (including not-yet-initialized) in the system.
 Process32First returns for PID=0x0 (Idle) szExeFile (process name) = 
"[System Process]". There is bug in Module32* functions which give
for PID=0x0 list of modules in the current process. So simply ignore
or don't call Module32* when PID is =0x0. Process32Next returns for
PID=0x8 (System) szeExeFile = "System". 
 Bad fact of TH32 implementation in Windows 2000 is there aren't paths
in process names included. The next bad fact is that when is
 CreateToolhelp32Snapshot with TH32_SNAPMODULE applied onto
"not-yet-initialized" process it causes 0xc0000142
(STATUS_DLL_INIT_FAILED) error.
 Nonadmin can see all process names but module names of modules in
"normal" processes (explorer, cmd, ..) only.
 Admin can see all process names but module names of modules in
"normal" processes (explorer, cmd, ..) only.
 Admin with DP can see all process and module names. 

 PSAPI
-------
 PSAPI doesn't support "process names". Instead you have to OpenProcess
then call EnumProcessModules and GetModuleBaseName/GetModuleFileNameEx.
EnumProcesses returns PIDs of all processes in the system. User can see
modules (with/without paths) in every process which can open (except
"not-yet-initialized" process where EnumProcessModules fails).
 Nonadmin can open (=see module names in) "normal" processes only.
 Admin can open "normal" processes for ALL_ACCESS, "protected" processes
for VM_READ and QUERY_INFORMATION (maybe more) access. OpenProcess with
csrss.exe fails. 
 Admin with DP can open all processes (of course except Idle and System)
for ALL_ACCESS.


 Conclusion
------------
 For displaying/finding processes only is better TH32. For displaying/
finding modules is required PSAPI.
 The best thing man can do is to combine both ways above.

 Of course there are other (direct) ways for making process/module lists:
NtQuerySystemInformation (taskmgr.exe, psapi.dll) or
Querying performancy counters (in registry) (pview.exe).


EliCZ, Jan-09-2000