请问在windows10/11系统中,有几种方式可以遍历当前进程,都是那些API?
不是那种自己通过ring0获得的进程,而是正儿八经通过微软提供的api可以获取到的方式,
能帮我列出遍历方式的关键函数吗?不尽感激

1. 使用CreateToolhelp32Snapshot、Process32First和Process32Next

#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>

int main() {
    PROCESSENTRY32 pe32{};
    pe32.dwSize = sizeof(PROCESSENTRY32);

    HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (INVALID_HANDLE_VALUE == hProcessSnap) {
        return 0;
    }

    BOOL bRet = Process32First(hProcessSnap, &pe32);
    while (bRet) {
        wprintf(L"Process ID: %lu, Process Name: %ws\n", pe32.th32ProcessID, pe32.szExeFile);
        bRet = Process32Next(hProcessSnap, &pe32);
    }
    CloseHandle(hProcessSnap);
    return 0;
}

2. 使用NtQuerySystemInformation

#include <windows.h>
#include <winternl.h>
#include <stdio.h>

typedef NTSTATUS(NTAPI* pNtQuerySystemInformation)(
    SYSTEM_INFORMATION_CLASS SystemInformationClass,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    PULONG ReturnLength
);

int main() {
    pNtQuerySystemInformation NtQuerySystemInformation =
        (pNtQuerySystemInformation)GetProcAddress(
            GetModuleHandleW(L"ntdll.dll"),
            "NtQuerySystemInformation"
        );

    SYSTEM_PROCESS_INFORMATION* spi = nullptr;
    ULONG bufferSize = 0x1000;
    NTSTATUS status;

    do {
        bufferSize *= 2;
        spi = (SYSTEM_PROCESS_INFORMATION*)malloc(bufferSize);
        if (!spi) {
            return 0;
        }
        status = NtQuerySystemInformation(
            SystemProcessInformation,
            spi,
            bufferSize,
            nullptr
        );
        if (status == STATUS_INFO_LENGTH_MISMATCH) {
            free(spi);
            spi = nullptr;
        }
    } while (status == STATUS_INFO_LENGTH_MISMATCH);

    if (NT_SUCCESS(status)) {
        SYSTEM_PROCESS_INFORMATION* current = spi;
        while (current) {
            wprintf(L"Process ID: %lu, Process Name: %ws\n",
                current->UniqueProcessId,
                current->ImageName.Buffer);
            current = (SYSTEM_PROCESS_INFORMATION*)((BYTE*)current + current->NextEntryOffset);
        }
    }
    free(spi);
    return 0;
}

3. 使用EnumProcesses、OpenProcess、GetModuleFileNameEx

#include <windows.h>
#include <psapi.h>
#include <stdio.h>

int main() {
    DWORD pProcess[1024];
    DWORD cbNeeded;
    DWORD cProcesses;

    if (!EnumProcesses(pProcess, sizeof(pProcess), &cbNeeded)) {
        return 0;
    }

    cProcesses = cbNeeded / sizeof(DWORD);

    for (int index = 0; index < cProcesses; index++) {
        HANDLE hProcess = OpenProcess(
            PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
            FALSE,
            pProcess[index]
        );
        if (hProcess == NULL) {
            continue;
        }

        char szModName[MAX_PATH];
        if (GetModuleFileNameEx(hProcess, NULL, szModName, sizeof(szModName))) {
            printf("Process ID: %lu, Process Path: %s\n", pProcess[index], szModName);
        }

        CloseHandle(hProcess);
    }
    return 1;
}

4.WMI查询(这种方法在c语言上的实现比较复杂,但在一些脚本型语言如vbs,vb6上非常简便,这里就不放了)
其中NtQuerySystemInformation获取到的进程信息最全面,包括进程的创建时间和优先级等等,Process32First+Process32Next最容易获取进程列表,信息比较全面,而EnumProcesses纯废物,还得通过OpenProcess打开进程才能获取除PID外的信息,WMI...不好说