How to Capture a Process Snapshot in Windows

Author

Pavel Yosifovich
Pavel Yosifovich has 25+ years as Software developer, trainer, consultant, author, and speaker. Co-author of “Windows Internals”. Author of “Windows Kernel Programming”, “Windows 10 System Programming, as well as System and kernel programming courses and “Windows Internals” series.

When working with processes, we often want to understand what is going on inside them. A process contains memory regions, DLLs, handles to kernel objects, and of course threads that execute code. Tools such as Process Explorer or VMMap give us a graphical way to explore this information, but sometimes we need something more flexible—something we can control programmatically.

Why This Matters for TrainSec Students

Process snapshotting is important for TrainSec students because it provides a practical way to capture process state. Instead of relying only on external tools, students can learn how to capture and analyze process details programmatically, which builds skills in using Windows APIs directly. This knowledge is essential for future malware analysts, reverse engineers, and system developers, as it allows them to observe threads, memory usage, and handles at a single point in time. By mastering snapshotting, students gain an efficient and consistent method for process inspection, which strengthens their ability to analyze real-world software and security scenarios.

Traditional APIs

The Windows API offers functions like CreateToolhelp32Snapshot (to list threads) and VirtualQueryEx (to enumerate memory blocks). These are useful but limited:

  • They usually require multiple calls, each involving user-to-kernel transitions.
  • They return partial information, so you must combine data from different APIs.
  • They can be expensive and complex if you want a full picture of the process.

The Native API (e.g., NtQuerySystemInformation) provides deeper access but often gives more information than you really need and requires filtering.

Process Snapshotting

Starting with Windows 8.1 and Windows Server 2012, Microsoft introduced process snapshotting. This feature allows us to capture the state of a process in one operation, directly inside the kernel. Instead of issuing multiple API calls, we make a single call to:

  • PssCaptureSnapshot: takes the snapshot of a process, with flags specifying what to capture (threads, handles, memory, etc.).
  • PssQuerySnapshot: retrieves single-instance data (e.g., general process info).
  • PssWalkSnapshot: iterates over collections inside the snapshot (e.g., all handles or threads).
  • PssFreeSnapshot: releases the snapshot when we are done.

The kernel gathers all requested details efficiently, and we can later walk through the snapshot at our own pace.

Pick Your Path and Join the Elite

Windows master developer badge 1

Windows Master Developer

Takes you from a “generic” C programmer to a master Windows programmer in user mode and kernel mode.
Become Master Developer
Windows Security Researcher Badge

Windows Security Researcher

Provides the necessary knowledge, understanding, and tools to be a successful Windows OS researcher.

Become Security Researcher

Practical Example

In the video, I demonstrate building a small C++ console application that:

  1. Takes a process ID from the command line.
  2. Opens a handle to the process.
  3. Uses PssCaptureSnapshot with flags for handles, threads, and memory information.
  4. Displays process information such as image name, process ID, parent process ID, and handle statistics.
  5. Walks over each handle and prints its value and name (if available).
  6. Cleans up by freeing the snapshot and closing handles.

This simple tool quickly shows thousands of handles in PowerPoint, their names, and the parent process information, all with a single snapshot.

Why Is This Useful?

  • Efficiency: One kernel call captures everything at once.
  • Flexibility: Choose only the data you care about (threads, memory, handles).
  • Consistency: The snapshot represents a single point in time, avoiding race conditions that happen when querying live processes with multiple calls.
  • Exploration: Great for building your own tools, comparing snapshots over time, or analyzing how processes change.

Key Takeaways

  • Process snapshotting simplifies deep inspection of processes compared to traditional APIs.
  • APIs include PssCaptureSnapshot, PssQuerySnapshot, and PssWalkSnapshot.
  • Introduced in Windows 8.1 and Server 2012, available on modern systems.

Very useful for tool developers, researchers, and anyone who needs detailed insight into process state.

Keep Learning with TrainSec

This content is part of the free TrainSec Knowledge Library, where students can deepen their understanding of Windows internals, malware analysis, and reverse engineering.Subscribe for free and continue learning with us: https://trainsec.net/library

Liked the content?

Subscribe to the free TrainSec knowledge library, and get insider access to new content, discounts and additional materials.

blue depth

About the author

Pavel Yosifovich
Pavel Yosifovich has 25+ years as Software developer, trainer, consultant, author, and speaker. Co-author of “Windows Internals”. Author of “Windows Kernel Programming”, “Windows 10 System Programming, as well as System and kernel programming courses and “Windows Internals” series.
All courses and publications