SystemProcess event on Windows extracts only executable path due to lack of documented API for command-line arguments #7864
Description
The goal of the System Process Event feature is to capture the process ID (PID) and the corresponding command-line arguments for each process running on the system.
On Windows, the current implementation (Extend SystemProcess API Implementation to Windows PR #7845 ) uses the EnumProcesses API to enumerate active PIDs and QueryFullProcessImageName to retrieve the full executable path. However, this method does not provide access to complete command-line arguments.
Although the internal API NtQueryInformationProcess can be used to get command-line arguments— Microsoft cautions that this API may be modified or removed in future versions of Windows, making it an unreliable choice for long-term, stable implementations.
Alternatives like WMI/COM can access command-line arguments, but using them doesn't appear to be the best approach.
Currently, there is no officially supported public API on Windows that allows retrieval of command-line arguments for arbitrary processes. As a result, the Windows implementation—like the macOS #7822 —is limited to collecting only the executable path for each process until such an interface becomes available.