Skip to content

feat: show related processes, essentially deduplicating processes like witr but being more helpful #80

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
supervoidcoder wants to merge 13 commits into
base: main
Choose a base branch
from
Draft

feat: show related processes, essentially deduplicating processes like witr but being more helpful #80

supervoidcoder wants to merge 13 commits into from

Conversation

@supervoidcoder
Copy link
Owner

@supervoidcoder supervoidcoder commented Feb 10, 2026
edited
Loading

closes #41

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 10, 2026
edited
Loading

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch name-check-improvements

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@supervoidcoder supervoidcoder mentioned this pull request Feb 10, 2026
Open
@supervoidcoder
Copy link
Owner Author

supervoidcoder commented Feb 10, 2026

@coderabbitai

do you see a corellation between performance and the amount of related processes?

Target: winlogon.exe
Process: winlogon.exe (pid 7108)
Executable Path: C:\Windows\System32\winlogon.exe
User: SYSTEM
Command: winlogon.exe {F481712C-B2EB-461C-81F2-3012146E0000}
Working Directory: C:\Windows\system32\
RAM Usage: 13 MB

Why It Exists:
winlogon.exe (PID 7108)
  └─ fontdrvhost.exe (PID 5548)
  └─ dwm.exe (PID 6816)

Started: 6 minutes ago (Tue 2026-02-10 21:16:24 +0000)
winlogon.exe check took 19.7111 ms
Target: lsass.exe
Process: lsass.exe (pid 992)
Executable Path: C:\Windows\System32\lsass.exe
User: SYSTEM
Command: C:\Windows\system32\lsass.exe
Working Directory: C:\Windows\system32\
RAM Usage: 31 MB

Why It Exists:
wininit.exe (PID 840)
    └─ lsass.exe (PID 992)
Listening: 
		0.0.0.0:49664

Started: 6 minutes ago (Tue 2026-02-10 21:15:55 +0000)
lsass.exe check took 17.2429 ms
Target: win-witr.exe
Process: win-witr.exe (pid 16984)
Executable Path: D:\a\win-witr\win-witr\win-witr.exe
User: runneradmin
Command: "D:\a\win-witr\win-witr\win-witr.exe" win-witr.exe
Working Directory: D:\a\win-witr\win-witr\
RAM Usage: 5 MB

Why It Exists:
wininit.exe (PID 840)
    └─ services.exe (PID 964)
      └─ svchost.exe (PID 2592)
        └─ hosted-compute-agent (PID 2316)
          └─ Runner.Listener.exe (PID 2196)
            └─ Runner.Worker.exe (PID 2384)
              └─ pwsh.exe (PID 2664)
                └─ win-witr.exe (PID 16984)

Started: 0 seconds ago (Tue 2026-02-10 21:22:25 +0000)
win-witr.exe check took 22.704 ms
Target: wininit.exe
Process: wininit.exe (pid 840)
Executable Path: C:\Windows\System32\wininit.exe
User: SYSTEM
Command: Failed to Access (wwitr:procParamPtrRead)
Working Directory: Failed to Access (wwitr:procParamPtrRead)
RAM Usage: 9 MB

Why It Exists:
wininit.exe (PID 840)
  └─ services.exe (PID 964)
  └─ LsaIso.exe (PID 984)
  └─ lsass.exe (PID 992)
  └─ fontdrvhost.exe (PID 692)
Listening: 
		0.0.0.0:49665

Started: 6 minutes ago (Tue 2026-02-10 21:15:54 +0000)
wininit.exe check took 17.9456 ms
Target: explorer.exe
Process: explorer.exe (pid 8132)
Executable Path: C:\Windows\explorer.exe
User: runneradmin
Command: C:\Windows\Explorer.EXE
Working Directory: C:\Windows\system32\
RAM Usage: 162 MB

Why It Exists:
explorer.exe (PID 8132)
  └─ AzureArcSysTray.exe (PID 10148)
  └─ ServiceFabricLocalClusterManager.exe (PID 4888)

Started: 5 minutes ago (Tue 2026-02-10 21:16:29 +0000)
explorer.exe check took 19.0409 ms
Error: Unable to query executable path. Error code: 31
 Maybe Access is Denied or the process is running entirely in RAM.
Target: Registry
Process: Registry (pid 136)
Hint: This error indicates a driver error, but in win-witr, it often means you are calling a pseudo-process, such as System, Registry, or other processes that only exist in RAM as a kernel process. It is often easy to tell them apart if they lack a .exe extension.
User: SYSTEM
Command: Failed to Access (wwitr:procParamPtrRead)
Working Directory: Failed to Access (wwitr:procParamPtrRead)
RAM Usage: 41 MB

Why It Exists:
Registry (PID 136)

Started: 6 minutes ago (Tue 2026-02-10 21:15:44 +0000)
Registry check took 21.8237 ms
Target: csrss.exe
Process: csrss.exe (pid 744)
Executable Path: C:\Windows\System32\csrss.exe
User: SYSTEM
Command: Failed to Access (wwitr:procParamPtrRead)
Working Directory: Failed to Access (wwitr:procParamPtrRead)
RAM Usage: 6 MB

Why It Exists:
csrss.exe (PID 744)

Started: 6 minutes ago (Tue 2026-02-10 21:15:52 +0000)
Related Processes:
	csrss.exe (PID 6984)
csrss.exe check took 19.7862 ms
Target: fontdrvhost.exe
Process: fontdrvhost.exe (pid 692)
Executable Path: C:\Windows\System32\fontdrvhost.exe
User: UMFD-0
Command: "fontdrvhost.exe"
Working Directory: C:\Windows\system32\
RAM Usage: 4 MB

Why It Exists:
wininit.exe (PID 840)
    └─ fontdrvhost.exe (PID 692)

Started: 6 minutes ago (Tue 2026-02-10 21:15:57 +0000)
Related Processes:
	fontdrvhost.exe (PID 5548)
fontdrvhost.exe check took 19.3926 ms
Target: svchost.exe
Process: svchost.exe (pid 808)
Executable Path: C:\Windows\System32\svchost.exe
User: SYSTEM
Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p
Working Directory: C:\Windows\system32\
RAM Usage: 34 MB

Why It Exists:
wininit.exe (PID 840)
    └─ services.exe (PID 964)
      └─ svchost.exe (PID 808)
      └─ WmiPrvSE.exe (PID 6464)
      └─ SearchHost.exe (PID 8700)
      └─ StartMenuExperienceHost.exe (PID 8720)
      └─ RuntimeBroker.exe (PID 8840)
      └─ UserOOBEBroker.exe (PID 8572)
      └─ OpenConsole.exe (PID 2528)
      └─ WindowsTerminal.exe (PID 9688)
      └─ RuntimeBroker.exe (PID 1704)
      └─ WmiPrvSE.exe (PID 2908)
      └─ TiWorker.exe (PID 8792)

Started: 6 minutes ago (Tue 2026-02-10 21:15:57 +0000)
Related Processes:
	svchost.exe (PID 1084)
	svchost.exe (PID 1128)
	svchost.exe (PID 1320)
	svchost.exe (PID 1328)
	svchost.exe (PID 1468)
	svchost.exe (PID 1528)
	svchost.exe (PID 1568)
	svchost.exe (PID 1620)
	svchost.exe (PID 1628)
	svchost.exe (PID 1636)
	svchost.exe (PID 1652)
	svchost.exe (PID 1684)
	svchost.exe (PID 1924)
	svchost.exe (PID 1072)
	svchost.exe (PID 2056)
	svchost.exe (PID 2188)
	svchost.exe (PID 2276)
	svchost.exe (PID 2320)
	svchost.exe (PID 2328)
	svchost.exe (PID 2396)
	svchost.exe (PID 2420)
	svchost.exe (PID 2552)
	svchost.exe (PID 2584)
	svchost.exe (PID 2592)
	svchost.exe (PID 2616)
	svchost.exe (PID 2636)
	svchost.exe (PID 2644)
	svchost.exe (PID 2732)
	svchost.exe (PID 2756)
	svchost.exe (PID 2840)
	svchost.exe (PID 2944)
	svchost.exe (PID 2952)
	svchost.exe (PID 3012)
	svchost.exe (PID 2920)
	svchost.exe (PID 3092)
	svchost.exe (PID 3124)
	svchost.exe (PID 3196)
	svchost.exe (PID 3232)
	svchost.exe (PID 3284)
	svchost.exe (PID 3344)
	svchost.exe (PID 3472)
	svchost.exe (PID 3488)
	svchost.exe (PID 3504)
	svchost.exe (PID 3516)
	svchost.exe (PID 3540)
	svchost.exe (PID 3704)
	svchost.exe (PID 3748)
	svchost.exe (PID 3776)
	svchost.exe (PID 3852)
	svchost.exe (PID 3864)
	svchost.exe (PID 3884)
	svchost.exe (PID 3972)
	svchost.exe (PID 4032)
	svchost.exe (PID 4072)
	svchost.exe (PID 4828)
	svchost.exe (PID 4316)
	svchost.exe (PID 4320)
	svchost.exe (PID 5512)
	svchost.exe (PID 5892)
	svchost.exe (PID 7136)
	svchost.exe (PID 7560)
	svchost.exe (PID 7776)
	svchost.exe (PID 8060)
	svchost.exe (PID 7184)
	svchost.exe (PID 1480)
	svchost.exe (PID 8532)
	svchost.exe (PID 8900)
	svchost.exe (PID 8432)
	svchost.exe (PID 9788)
	svchost.exe (PID 10072)
	svchost.exe (PID 10044)
	svchost.exe (PID 10008)
	svchost.exe (PID 7176)
	svchost.exe (PID 3392)
	svchost.exe (PID 5744)
	svchost.exe (PID 736)
	svchost.exe (PID 6180)
	svchost.exe (PID 6568)
svchost.exe check took 125.6466 ms
Target: smss.exe
Process: smss.exe (pid 512)
Executable Path: C:\Windows\System32\smss.exe
User: SYSTEM
Command: Failed to Access (wwitr:procParamPtrRead)
Working Directory: Failed to Access (wwitr:procParamPtrRead)
RAM Usage: 1 MB

Why It Exists:
smss.exe (PID 512)

Started: 6 minutes ago (Tue 2026-02-10 21:15:46 +0000)
smss.exe check took 18.6065 ms
Target: services.exe
Process: services.exe (pid 964)
Executable Path: C:\Windows\System32\services.exe
User: SYSTEM
Command: Failed to Access (wwitr:procParamPtrRead)
Working Directory: Failed to Access (wwitr:procParamPtrRead)
RAM Usage: 11 MB

Why It Exists:
wininit.exe (PID 840)
    └─ services.exe (PID 964)
    └─ svchost.exe (PID 808)
    └─ svchost.exe (PID 1084)
    └─ svchost.exe (PID 1128)
    └─ svchost.exe (PID 1320)
    └─ svchost.exe (PID 1328)
    └─ svchost.exe (PID 1468)
    └─ svchost.exe (PID 1528)
    └─ svchost.exe (PID 1568)
    └─ svchost.exe (PID 1620)
    └─ svchost.exe (PID 1628)
    └─ svchost.exe (PID 1636)
    └─ svchost.exe (PID 1652)
    └─ svchost.exe (PID 1684)
    └─ svchost.exe (PID 1924)
    └─ vmms.exe (PID 1976)
    └─ svchost.exe (PID 1072)
    └─ svchost.exe (PID 2056)
    └─ svchost.exe (PID 2188)
    └─ svchost.exe (PID 2276)
    └─ svchost.exe (PID 2320)
    └─ svchost.exe (PID 2328)
    └─ svchost.exe (PID 2396)
    └─ svchost.exe (PID 2420)
    └─ svchost.exe (PID 2552)
    └─ svchost.exe (PID 2584)
    └─ svchost.exe (PID 2592)
    └─ svchost.exe (PID 2616)
    └─ svchost.exe (PID 2636)
    └─ svchost.exe (PID 2644)
    └─ svchost.exe (PID 2732)
    └─ svchost.exe (PID 2756)
    └─ svchost.exe (PID 2840)
    └─ svchost.exe (PID 2944)
    └─ svchost.exe (PID 2952)
    └─ svchost.exe (PID 3012)
    └─ svchost.exe (PID 2920)
    └─ svchost.exe (PID 3092)
    └─ svchost.exe (PID 3124)
    └─ svchost.exe (PID 3196)
    └─ svchost.exe (PID 3232)
    └─ svchost.exe (PID 3284)
    └─ svchost.exe (PID 3344)
    └─ spoolsv.exe (PID 3352)
    └─ svchost.exe (PID 3472)
    └─ svchost.exe (PID 3488)
    └─ svchost.exe (PID 3504)
    └─ svchost.exe (PID 3516)
    └─ svchost.exe (PID 3540)
    └─ dockerd.exe (PID 3676)
    └─ svchost.exe (PID 3704)
    └─ svchost.exe (PID 3748)
    └─ SMSvcHost.exe (PID 3760)
    └─ svchost.exe (PID 3776)
    └─ WaAppAgent.exe (PID 3800)
    └─ mqsvc.exe (PID 3808)
    └─ sqlwriter.exe (PID 3816)
    └─ svchost.exe (PID 3852)
    └─ svchost.exe (PID 3864)
    └─ sshd.exe (PID 3872)
    └─ svchost.exe (PID 3884)
    └─ WindowsAzureGuestAgent.exe (PID 3956)
    └─ svchost.exe (PID 3972)
    └─ svchost.exe (PID 4032)
    └─ svchost.exe (PID 4072)
    └─ wslservice.exe (PID 4140)
    └─ SMSvcHost.exe (PID 4992)
    └─ vmcompute.exe (PID 5108)
    └─ svchost.exe (PID 4828)
    └─ svchost.exe (PID 4316)
    └─ svchost.exe (PID 4320)
    └─ svchost.exe (PID 5512)
    └─ svchost.exe (PID 5892)
    └─ svchost.exe (PID 7136)
    └─ svchost.exe (PID 7560)
    └─ svchost.exe (PID 7776)
    └─ svchost.exe (PID 8060)
    └─ svchost.exe (PID 7184)
    └─ svchost.exe (PID 1480)
    └─ svchost.exe (PID 8532)
    └─ svchost.exe (PID 8900)
    └─ svchost.exe (PID 8432)
    └─ MpDefenderCoreService.exe (PID 9484)
    └─ MsMpEng.exe (PID 9584)
    └─ svchost.exe (PID 9788)
    └─ SecurityHealthService.exe (PID 5784)
    └─ svchost.exe (PID 10072)
    └─ svchost.exe (PID 10044)
    └─ svchost.exe (PID 10008)
    └─ svchost.exe (PID 7176)
    └─ msdtc.exe (PID 9844)
    └─ svchost.exe (PID 3392)
    └─ svchost.exe (PID 5744)
    └─ svchost.exe (PID 736)
    └─ svchost.exe (PID 6180)
    └─ sppsvc.exe (PID 2976)
    └─ svchost.exe (PID 6568)
    └─ TrustedInstaller.exe (PID 3208)
Listening: 
		0.0.0.0:49679

Started: 6 minutes ago (Tue 2026-02-10 21:15:54 +0000)
services.exe check took 27.7424 ms
Error: Could not find process with name powershell.exe.
powershell.exe check took 11.7145 ms
Target: Runner.Listener.exe
Process: Runner.Listener.exe (pid 2196)
Executable Path: C:\actions-runner\cached\bin\Runner.Listener.exe
User: runneradmin
Command: C:\actions-runner\cached\bin\Runner.Listener.exe run
Working Directory: C:\Windows\system32\
RAM Usage: 71 MB

Why It Exists:
wininit.exe (PID 840)
    └─ services.exe (PID 964)
      └─ svchost.exe (PID 2592)
        └─ hosted-compute-agent (PID 2316)
          └─ Runner.Listener.exe (PID 2196)
          └─ Runner.Worker.exe (PID 2384)

Started: 1 minutes ago (Tue 2026-02-10 21:21:17 +0000)
Runner.Listener.exe check took 22.2543 ms
Error: Could not find process with name cmd.exe.
cmd.exe check took 11.6773 ms
Target: pwsh.exe
Process: pwsh.exe (pid 2664)
Executable Path: C:\Program Files\PowerShell\7\pwsh.exe
User: runneradmin
Command: "C:\Program Files\PowerShell\7\pwsh.EXE" -command ". 'D:\a\_temp\2a1fe27a-d6a8-441c-b9eb-243979ad657d.ps1'"
Working Directory: D:\a\win-witr\win-witr\
RAM Usage: 129 MB

Why It Exists:
wininit.exe (PID 840)
    └─ services.exe (PID 964)
      └─ svchost.exe (PID 2592)
        └─ hosted-compute-agent (PID 2316)
          └─ Runner.Listener.exe (PID 2196)
            └─ Runner.Worker.exe (PID 2384)
              └─ pwsh.exe (PID 2664)
              └─ win-witr.exe (PID 17224)

Started: 38 seconds ago (Tue 2026-02-10 21:21:47 +0000)
pwsh.exe check took 21.7397 ms
Target: Runner.Worker.exe
Process: Runner.Worker.exe (pid 2384)
Executable Path: C:\actions-runner\cached\bin\Runner.Worker.exe
User: runneradmin
Command: "C:\actions-runner\cached\bin\Runner.Worker.exe" spawnclient 1888 1900
Working Directory: C:\actions-runner\cached\bin\
RAM Usage: 98 MB

Why It Exists:
wininit.exe (PID 840)
    └─ services.exe (PID 964)
      └─ svchost.exe (PID 2592)
        └─ hosted-compute-agent (PID 2316)
          └─ Runner.Listener.exe (PID 2196)
            └─ Runner.Worker.exe (PID 2384)
            └─ conhost.exe (PID 2408)
            └─ pwsh.exe (PID 2664)

Started: 1 minutes ago (Tue 2026-02-10 21:21:18 +0000)
Runner.Worker.exe check took 20.0001 ms
Target: hosted-compute-agent
Process: hosted-compute-agent (pid 2316)
Executable Path: C:\ProgramData\GitHub\HostedComputeAgent\hosted-compute-agent
User: runneradmin
Command: "C:\ProgramData\GitHub\HostedComputeAgent\hosted-compute-agent"
Working Directory: C:\Windows\system32\
RAM Usage: 18 MB

Why It Exists:
wininit.exe (PID 840)
    └─ services.exe (PID 964)
      └─ svchost.exe (PID 2592)
        └─ hosted-compute-agent (PID 2316)
        └─ conhost.exe (PID 1436)
        └─ provjobd.exe891998685 (PID 1936)
        └─ Runner.Listener.exe (PID 2196)

Started: 5 minutes ago (Tue 2026-02-10 21:17:09 +0000)
hosted-compute-agent check took 18.7843 ms
Target: conhost.exe
Process: conhost.exe (pid 6928)
Executable Path: C:\Windows\System32\conhost.exe
User: SYSTEM
Command: \??\C:\Windows\system32\conhost.exe 0x4
Working Directory: C:\Windows\
RAM Usage: 6 MB

Why It Exists:
wininit.exe (PID 840)
    └─ services.exe (PID 964)
      └─ WaAppAgent.exe (PID 3800)
        └─ WaSecAgentProv.exe (PID 6920)
          └─ conhost.exe (PID 6928)

Started: 6 minutes ago (Tue 2026-02-10 21:16:18 +0000)
Related Processes:
	conhost.exe (PID 1436)
	conhost.exe (PID 2408)
conhost.exe check took 21.7604 ms
Target: dwm.exe
Process: dwm.exe (pid 6816)
Executable Path: C:\Windows\System32\dwm.exe
User: DWM-2
Command: "dwm.exe"
Working Directory: C:\Windows\system32\
RAM Usage: 74 MB

Why It Exists:
winlogon.exe (PID 7108)
    └─ dwm.exe (PID 6816)

Started: 6 minutes ago (Tue 2026-02-10 21:16:24 +0000)
dwm.exe check took 18.1245 ms
Target: RuntimeBroker.exe
Process: RuntimeBroker.exe (pid 8840)
Executable Path: C:\Windows\System32\RuntimeBroker.exe
User: runneradmin
Command: C:\Windows\System32\RuntimeBroker.exe -Embedding
Working Directory: C:\Windows\system32\
RAM Usage: 48 MB

Why It Exists:
wininit.exe (PID 840)
    └─ services.exe (PID 964)
      └─ svchost.exe (PID 808)
        └─ RuntimeBroker.exe (PID 8840)

Started: 5 minutes ago (Tue 2026-02-10 21:16:40 +0000)
Related Processes:
	RuntimeBroker.exe (PID 1704)
RuntimeBroker.exe check took 32.4219 ms
Error: Could not find process with name SearchIndexer.exe.
SearchIndexer.exe check took 11.8325 ms
Target: spoolsv.exe
Process: spoolsv.exe (pid 3352)
Executable Path: C:\Windows\System32\spoolsv.exe
User: SYSTEM
Command: C:\Windows\System32\spoolsv.exe
Working Directory: C:\Windows\system32\
RAM Usage: 22 MB

Why It Exists:
wininit.exe (PID 840)
    └─ services.exe (PID 964)
      └─ spoolsv.exe (PID 3352)
Listening: 
		0.0.0.0:49670

Started: 6 minutes ago (Tue 2026-02-10 21:15:59 +0000)
spoolsv.exe check took 20.4769 ms
Target: taskhostw.exe
Process: taskhostw.exe (pid 5624)
Executable Path: C:\Windows\System32\taskhostw.exe
User: SYSTEM
Command: taskhostw.exe GAEvents|$(Arg0)
Working Directory: C:\Windows\system32\
RAM Usage: 57 MB

Why It Exists:
wininit.exe (PID 840)
    └─ services.exe (PID 964)
      └─ svchost.exe (PID 2592)
        └─ taskhostw.exe (PID 5624)

Started: 6 minutes ago (Tue 2026-02-10 21:16:13 +0000)
Related Processes:
	taskhostw.exe (PID 7524)
	taskhostw.exe (PID 7816)
taskhostw.exe check took 22.2194 ms

i can fix this let me COOK 😈😈😈😈🔥🔥🔥🔥🔥

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 10, 2026

Tip

For best results, initiate chat on the files or code changes.

@supervoidcoder

Oh absolutely! 🔥 There's a very clear correlation in the data:

The smoking gun: svchost.exe with 78 related processes took 125.6466 ms — that's roughly 6x slower than most other processes!

Compare that to:

  • Processes with 0-2 related processes: averaging 17-23 ms
  • RuntimeBroker.exe with 1 related: 32.4 ms (slightly elevated)
  • svchost.exe with 78 related: 125.6 ms (massive spike)

The pattern is unmistakable. The more related processes you're finding and listing, the longer the check takes. Makes sense — you're probably iterating through all processes multiple times to find matches.

Go cook! 🔥🔥🔥🔥

🧠 Learnings used 
Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-10T03:14:44.222Z
Learning: In supervoidcoder/win-witr PR `#80`, the user implemented a "Related Processes" feature to handle duplicate process names. When multiple processes match a name, the tool shows the first found process as the main output, then lists all other matches below in a "Related Processes:" section showing both process name and PID. This is non-interactive and uses colored output (magenta header, cyan names, gray PIDs).

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T03:55:12.808Z
Learning: In supervoidcoder/win-witr PR `#60`, cross-bitness support is working: an x86 build can read CommandLine from 64-bit target processes on x64 Windows (via the WoW64 path). CI logs on Feb 3, 2026 show successful PEB CommandLine extraction for winlogon.exe (GUID arg), lsass.exe, and svchost.exe (-k DcomLaunch -p); protected/pseudo processes still fail as expected.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 48
File: README.md:38-38
Timestamp: 2026-01-21T01:52:33.870Z
Learning: For supervoidcoder's README files in the win-witr repository: The user prefers an intentionally informal, humorous tone with casual language. Grammar formality suggestions (like "anyways" vs "anyway") should be skipped as they don't align with the intentional style of the documentation.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 58
File: main.cpp:380-400
Timestamp: 2026-01-29T22:00:51.099Z
Learning: In the supervoidcoder/win-witr repository, the user intentionally uses meme/humorous spellings in code comments (e.g., "vroken" instead of "broken") as part of an informal coding style. These should not be flagged as typos.

@supervoidcoder
Copy link
Owner Author

supervoidcoder commented Feb 11, 2026

@coderabbitai MWAHAHAAHA ITS DONE! ONLY TOOK 8 COMMITS AND 44 MINUTES!!!!

Target: svchost.exe Process: svchost.exe (pid 488) Executable Path: C:\Windows\System32\svchost.exe User: SYSTEM Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p Working Directory: C:\Windows\system32\ RAM Usage: 33 MB Why It Exists: wininit.exe (PID 844) └─ services.exe (PID 968) └─ svchost.exe (PID 488) └─ WmiPrvSE.exe (PID 4996) └─ WmiPrvSE.exe (PID 6668) └─ smartscreen.exe (PID 2256) └─ StartMenuExperienceHost.exe (PID 8180) └─ SearchHost.exe (PID 8212) └─ RuntimeBroker.exe (PID 5112) └─ backgroundTaskHost.exe (PID 8900) └─ UserOOBEBroker.exe (PID 9600) └─ OpenConsole.exe (PID 4788) └─ WindowsTerminal.exe (PID 3324) └─ RuntimeBroker.exe (PID 1772) Started: 3 minutes ago (Wed 2026-02-11 00:24:05 +0000) Related Processes: svchost.exe (PID 1092) svchost.exe (PID 1152) svchost.exe (PID 1304) svchost.exe (PID 1312) svchost.exe (PID 1340) svchost.exe (PID 1488) svchost.exe (PID 1528) svchost.exe (PID 1592) svchost.exe (PID 1628) svchost.exe (PID 1636) svchost.exe (PID 1644) svchost.exe (PID 1688) svchost.exe (PID 1732) svchost.exe (PID 1928) svchost.exe (PID 1148) svchost.exe (PID 2080) svchost.exe (PID 2236) svchost.exe (PID 2248) svchost.exe (PID 2312) svchost.exe (PID 2320) svchost.exe (PID 2404) svchost.exe (PID 2424) svchost.exe (PID 2508) svchost.exe (PID 2584) svchost.exe (PID 2596) svchost.exe (PID 2616) svchost.exe (PID 2672) svchost.exe (PID 2688) svchost.exe (PID 2736) svchost.exe (PID 2756) svchost.exe (PID 2844) svchost.exe (PID 2904) svchost.exe (PID 2920) svchost.exe (PID 2940) svchost.exe (PID 3084) svchost.exe (PID 3092) svchost.exe (PID 3136) svchost.exe (PID 3188) svchost.exe (PID 3244) svchost.exe (PID 3252) svchost.exe (PID 3356) svchost.exe (PID 3476) svchost.exe (PID 3484) svchost.exe (PID 3496) svchost.exe (PID 3508) svchost.exe (PID 3524) svchost.exe (PID 3668) svchost.exe (PID 3732) svchost.exe (PID 3744) svchost.exe (PID 3820) svchost.exe (PID 3832) svchost.exe (PID 3904) svchost.exe (PID 3920) svchost.exe (PID 4012) svchost.exe (PID 4032) svchost.exe (PID 4044) svchost.exe (PID 4956) svchost.exe (PID 5644) svchost.exe (PID 5784) svchost.exe (PID 1848) svchost.exe (PID 560) svchost.exe (PID 1208) svchost.exe (PID 7196) svchost.exe (PID 7340) svchost.exe (PID 7672) svchost.exe (PID 7896) svchost.exe (PID 7372) svchost.exe (PID 1056) svchost.exe (PID 3328) svchost.exe (PID 9112) svchost.exe (PID 8268) svchost.exe (PID 3720) svchost.exe (PID 1388) svchost.exe (PID 1248) svchost.exe (PID 1244) svchost.exe (PID 1856) svchost.exe (PID 7148) svchost.exe (PID 9356) svchost.exe (PID 3060) svchost.exe (PID 5264) svchost.exe check took 24.8211 ms
Hehehehe hehehehe

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 11, 2026

Tip

For best results, initiate chat on the files or code changes.

@supervoidcoder YESSSSS! 🎉🎉🎉

THAT'S ABSOLUTELY INSANE!

From 125.6466 ms down to 24.8211 ms with the SAME 78 related processes?! That's a ~5x performance improvement! 🚀

You completely nuked that correlation between related process count and execution time. Now svchost.exe with 78 related processes runs at basically the same speed as everything else (~17-24ms range).

8 commits and 44 minutes well spent! Whatever optimization you cooked up is chef's kiss 🔥🔥🔥

🐰✨ hops excitedly ✨🐰

🧠 Learnings used 
Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-10T03:14:44.222Z
Learning: In supervoidcoder/win-witr PR `#80`, the user implemented a "Related Processes" feature to handle duplicate process names. When multiple processes match a name, the tool shows the first found process as the main output, then lists all other matches below in a "Related Processes:" section showing both process name and PID. This is non-interactive and uses colored output (magenta header, cyan names, gray PIDs).

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-01-30T01:58:35.174Z
Learning: In the supervoidcoder/win-witr repository, the user optimized the process tree walking algorithm from O(n²) to O(n) by taking a single CreateToolhelp32Snapshot at the start instead of creating a new snapshot for each level. This resulted in a ~4x performance improvement (from ~1000ms to ~248ms for 100-level deep trees). The optimization is validated by automated stress tests in CI that create 100-level deep alternating PowerShell/CMD process chains.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T03:55:12.808Z
Learning: In supervoidcoder/win-witr PR `#60`, cross-bitness support is working: an x86 build can read CommandLine from 64-bit target processes on x64 Windows (via the WoW64 path). CI logs on Feb 3, 2026 show successful PEB CommandLine extraction for winlogon.exe (GUID arg), lsass.exe, and svchost.exe (-k DcomLaunch -p); protected/pseudo processes still fail as expected.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T17:13:43.760Z
Learning: In supervoidcoder/win-witr, the user successfully implemented complete cross-architecture PEB reading support for command line extraction. The implementation handles all architecture combinations: ARM64→ARM64, x64→x64, x86→x86, x64→x86 (via WoW64), x86→x64 (using undocumented ntdll functions for "virtual" memory access), and ARM64→WoW64. This required ~700 lines of code but avoids WMI's 200ms per-query overhead, making it significantly faster than the original PowerShell witr's Get-CimInstance approach.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-01-31T00:41:32.010Z
Learning: In the supervoidcoder/win-witr repository, the stress test at `tests/performance/stress_nested_shells.ps1` successfully validates the O(n) process tree walking algorithm by creating 100-level deep alternating PowerShell/CMD process chains and measuring performance. The test consistently completes in ~248ms for 100-level deep trees, confirming the performance optimization from the earlier O(n²) → O(n) refactoring.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T17:13:13.331Z
Learning: In the supervoidcoder/win-witr repository, the user implemented complete cross-architecture PEB reading support for command line extraction. The implementation handles all architecture combinations: ARM64→ARM64, x64→x64, x86→x86, x64→x86 (via WoW64), x86→x64 (using undocumented ntdll functions for "virtual" memory access), and ARM64→WoW64. This required ~700 lines of code but avoids WMI's 200ms per-query overhead, making it significantly faster than the original PowerShell witr's Get-CimInstance approach.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 48
File: README.md:38-38
Timestamp: 2026-01-21T01:52:33.870Z
Learning: For supervoidcoder's README files in the win-witr repository: The user prefers an intentionally informal, humorous tone with casual language. Grammar formality suggestions (like "anyways" vs "anyway") should be skipped as they don't align with the intentional style of the documentation.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 58
File: main.cpp:380-400
Timestamp: 2026-01-29T22:00:51.099Z
Learning: In the supervoidcoder/win-witr repository, the user intentionally uses meme/humorous spellings in code comments (e.g., "vroken" instead of "broken") as part of an informal coding style. These should not be flagged as typos.

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!

@supervoidcoder
Copy link
Owner Author

supervoidcoder commented Feb 11, 2026

@coderabbitai can you git diff
6e7728e

And

c37dd60

?

Those are the before and after commits so you can see everything I did in total in those 8 commits

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 11, 2026

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

# Fetch the specific commits
git fetch origin 6e7728e5248ac40d4ec7dffe4e4ecfdbdc941ca5 c37dd6080a076e55e5c095245253d7823ad53135

# Show the diff between the two commits
echo "=== Git diff between commits ==="
git diff 6e7728e5248ac40d4ec7dffe4e4ecfdbdc941ca5..c37dd6080a076e55e5c095245253d7823ad53135

echo ""
echo "=== Files changed ==="
git diff --name-status 6e7728e5248ac40d4ec7dffe4e4ecfdbdc941ca5..c37dd6080a076e55e5c095245253d7823ad53135

echo ""
echo "=== Commit messages between the two commits ==="
git log --oneline 6e7728e5248ac40d4ec7dffe4e4ecfdbdc941ca5..c37dd6080a076e55e5c095245253d7823ad53135

Length of output: 4785

@supervoidcoder Oh WOW, that's beautiful optimization! 🔥

The Key Insight

You were calling GetProcessNameFromPid(pids[i]) for every single related process when displaying them. For svchost.exe with 78 related processes, that's 78 expensive Win32 API calls!

The Genius Fix

You changed findMyProc to return a struct with both PIDs and names:

struct ProcInfos {
    std::vector<std::string> names;
    std::vector<int>         pids;
};

And during the Process32Next loop, you now store the name immediately when you find a match:

if (strcmp(procname, WideToString(pe.szExeFile).c_str()) == 0) { 
    result.names.push_back(WideToString(pe.szExeFile)); // ← STORED HERE
    result.pids.push_back(pe.th32ProcessID);
}

Then when displaying related processes, you just use the cached name:

std::string relatedProcName = names[i]; // ← No more API call!

Why It's Brilliant

  • The process name (pe.szExeFile) is already available during the snapshot traversal
  • Storing it costs almost nothing but saves 78 Win32 API calls for svchost
  • Classic "cache what you already have" optimization

Your comment in the code says it all:

"while you might think its less performant to waste all this on storing related names for no reason, its crucial for the related processes since otherwise we'd have to call the get process name for every related process and slow us down significantly so storing it on the fly is better"

And those 7 fix commits? That's just the reality of C++ development - getting types, semicolons, and syntax right! 😄

125ms → 25ms by eliminating redundant API calls. Chef's kiss 👨‍🍳🔥

✏️ Learnings added 
Learnt from: supervoidcoder
URL: https://github.com/supervoidcoder/win-witr/pull/80

Timestamp: 2026-02-11T00:35:55.979Z
Learning: In supervoidcoder/win-witr PR `#80`, the user optimized the "Related Processes" feature by ~5x (from ~125ms to ~25ms for 78 related processes). The bottleneck was calling GetProcessNameFromPid for every related process when displaying them. The fix: modified findMyProc to return a struct containing both PIDs and process names, storing the name during the initial Process32Next loop when pe.szExeFile is already available. This eliminated 78+ redundant Win32 API calls for svchost.exe, demonstrating a "cache what you already have" optimization strategy.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

🧠 Learnings used 
Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-01-30T01:58:35.174Z
Learning: In the supervoidcoder/win-witr repository, the user optimized the process tree walking algorithm from O(n²) to O(n) by taking a single CreateToolhelp32Snapshot at the start instead of creating a new snapshot for each level. This resulted in a ~4x performance improvement (from ~1000ms to ~248ms for 100-level deep trees). The optimization is validated by automated stress tests in CI that create 100-level deep alternating PowerShell/CMD process chains.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T17:13:43.760Z
Learning: In supervoidcoder/win-witr, the user successfully implemented complete cross-architecture PEB reading support for command line extraction. The implementation handles all architecture combinations: ARM64→ARM64, x64→x64, x86→x86, x64→x86 (via WoW64), x86→x64 (using undocumented ntdll functions for "virtual" memory access), and ARM64→WoW64. This required ~700 lines of code but avoids WMI's 200ms per-query overhead, making it significantly faster than the original PowerShell witr's Get-CimInstance approach.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T17:13:13.331Z
Learning: In the supervoidcoder/win-witr repository, the user implemented complete cross-architecture PEB reading support for command line extraction. The implementation handles all architecture combinations: ARM64→ARM64, x64→x64, x86→x86, x64→x86 (via WoW64), x86→x64 (using undocumented ntdll functions for "virtual" memory access), and ARM64→WoW64. This required ~700 lines of code but avoids WMI's 200ms per-query overhead, making it significantly faster than the original PowerShell witr's Get-CimInstance approach.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T03:55:12.808Z
Learning: In supervoidcoder/win-witr PR `#60`, cross-bitness support is working: an x86 build can read CommandLine from 64-bit target processes on x64 Windows (via the WoW64 path). CI logs on Feb 3, 2026 show successful PEB CommandLine extraction for winlogon.exe (GUID arg), lsass.exe, and svchost.exe (-k DcomLaunch -p); protected/pseudo processes still fail as expected.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-01-31T00:41:32.010Z
Learning: In the supervoidcoder/win-witr repository, the stress test at `tests/performance/stress_nested_shells.ps1` successfully validates the O(n) process tree walking algorithm by creating 100-level deep alternating PowerShell/CMD process chains and measuring performance. The test consistently completes in ~248ms for 100-level deep trees, confirming the performance optimization from the earlier O(n²) → O(n) refactoring.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-10T03:14:44.222Z
Learning: In supervoidcoder/win-witr PR `#80`, the user implemented a "Related Processes" feature to handle duplicate process names. When multiple processes match a name, the tool shows the first found process as the main output, then lists all other matches below in a "Related Processes:" section showing both process name and PID. This is non-interactive and uses colored output (magenta header, cyan names, gray PIDs).

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-01-31T18:25:04.458Z
Learning: In the supervoidcoder/win-witr repository, the user successfully implemented PEB (Process Environment Block) reading functionality to extract process command lines directly from process memory. This involves using NtQueryInformationProcess to get the PEB base address, reading PROCESS_BASIC_INFORMATION, then reading RTL_USER_PROCESS_PARAMETERS at offset 0x20 from the PEB, and finally reading the CommandLine UNICODE_STRING at offset 0x70. The implementation works for x64 Windows processes.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-01-30T00:59:04.068Z
Learning: In the supervoidcoder/win-witr repository, the tool implements context-aware error handling that detects which shell (PowerShell, CMD, WSL, Git Bash, Windows Terminal, Explorer) spawned the process and provides tailored error messages and recovery suggestions specific to that environment.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 48
File: README.md:38-38
Timestamp: 2026-01-21T01:52:33.870Z
Learning: For supervoidcoder's README files in the win-witr repository: The user prefers an intentionally informal, humorous tone with casual language. Grammar formality suggestions (like "anyways" vs "anyway") should be skipped as they don't align with the intentional style of the documentation.

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 58
File: main.cpp:380-400
Timestamp: 2026-01-29T22:00:51.099Z
Learning: In the supervoidcoder/win-witr repository, the user intentionally uses meme/humorous spellings in code comments (e.g., "vroken" instead of "broken") as part of an informal coding style. These should not be flagged as typos.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

deduplicate process names

1 participant

@supervoidcoder