Introduction
This article is a brief explanation of how to use the GetProcessTimes API. There are times when knowing how long a process has been running might be useful.
The time values returned from GetProcessTimes are fairly easy to convert into something useful/readable. Let's operate on this code snippet:
HANDLE hProcess;
FILETIME ftCreation,
ftExit,
ftKernel,
ftUser;
GetProcessTimes(hProcess, &ftCreation, &ftExit, &ftKernel, &ftUser);
Calculating running-time
A processes' running-time is the amount of time that has elapsed between the current time and the processes' creation time. This is stored in a FILETIME structure.
Once the elapsed time is calculated, then it's a matter of converting it to hours, minutes, seconds, etc. Luckily, the COleDateTime class makes this a painless process.
COleDateTime timeNow = COleDateTime::GetCurrentTime(),
timeCreation = ftCreation;
COleDateTimeSpan timeDiff = timeNow - timeCreation;
From here, you can use the different methods of COleDateTimeSpan to get the elapsed hours, minutes, etc.
Calculating kernel and user times
Per the documentation, the kernel and user times are amounts of time rather than an actual time period. The value in the FILETIME structure is expressed in 100-nanosecond units. To convert that to something useful, let's look at two methods.
Method 1
We can convert that to seconds with some basic arithmetic. A nanosecond is one billionth of a second, but since the time is already expressed in 100-nanosecond units, we'll only divide by 10 million:
__int64 i64Kernel = *((__int64 *) &ftKernel);
DWORD dwKernel = (DWORD) (i64Kernel / 10000000U);
As an alternative to the casting used above, a union could have just as easily been employed:
union
{
FILETIME ftKernel;
__int64 i64Kernel;
} timeKernel;
timeKernel.ftKernel = ftKernel;
DWORD dwKernel = (DWORD) (timeKernel.i64Kernel / 10000000U);
Either way, dwKernel now represents the number of elapsed seconds that the process has been in kernel mode. Converting seconds to hours, minutes, and seconds is a straightforward process.
Method 2
An alternative method that does not require anything other than a function call is to use the FileTimeToSystemTime API. This stores the result in a SYSTEMTIME structure, where we then have access to the wHour, wMinute, and wSecond members.
SYSTEMTIME stKernel;
FileTimeToSystemTime(&ftKernel, &stKernel);
The user-mode time is handled in the same way as kernel-mode time.
Summary
That's all there is to it. Looking at all of this together yields:
GetProcessTimes(hProcess, &ftCreation, &ftExit, &ftKernel, &ftUser);
timeCreation = ftCreation;
strData.Format("Created at %02d:%02d:%02d", timeCreation.GetHour(),
timeCreation.GetMinute(), timeCreation.GetSecond());
timeDiff = timeNow - timeCreation;
strData.Format("Elapsed time = %ud %uh %um %us", timeDiff.GetDays(),
timeDiff.GetHours(), timeDiff.GetMinutes(),
timeDiff.GetSeconds());
FileTimeToSystemTime(&ftKernel, &stKernel);
strData.Format("Time in kernel mode = %uh %um %us", stKernel.wHour,
stKernel.wMinute, stKernel.wSecond);
Notes
The way the demo code is currently written, some system-level processes did not allow their name and time-information to be retrieved.
