How to find certain processes running on user pc? For example, find cheatengine.exe
You won’t be able to publish and your game will likely be treated as malaware if you attempt to read off process information off external programs.
You’d also need admin access in most cases.
Accessing ram is very similar. And also has the potential to BSOD the machine with the new security features.
If you want to have countermeasures to cheating, look into the anti cheat solution that even epic uses (or buys out because they are too lazy to come up with their own).
https://www.easy.ac/en-us/
There’s also a few marketplace products. Just make sure they don’t do things directly.
To be able to bypass security you need something authorized to run as a service that feeds info back to your application.
I am pretty sure many games and programs do so, I read that some AAA games would shut down if they detect cheatengine process running.
1 Like
If you do it from an associated service, sure.
Games and developers who have enough time and money to waste on that will do it by following all applicable compliance.
Also about 90% of the time you can just get a different version of cheat engine or whatever that has no headers and avoids detection in under a minute, so I still think it’s completely pointless, but that’s up to the developers to decide independently.
Anti-cheat is a constant challenge.
If you want to do it right you need to install a kernel-mode driver at install time, with elevated privileges, and make the game refuse to start if it cannot connect to this driver. The driver can then do whatever you need with maximum privileges. Of course, running in kernel mode is super intrusive, and any small bug will massively destabilize or bluescreen the user’s computer, so you should hire someone who is really good at driver development and validation to do this. (See also: various publishers accidentally nuking user machines because they didn’t want to pay more for engineers with the right skills, happens every few years.)
However, even that is a losing battle. The Cheatengine installer might just generate a random name for the executable in the installer, and now you can’t find that process. Another user may be visually impaired and use a screen reader – but to you, that might look like a screen-snooping cheat, and you unjustly ban players based on their assistive needs. (Not easy to recover from that PR disaster!)
The best way to catch cheaters is to analyze what you can from the server side. Match people up who have similar play/hit/weapon/input profiles. In the end, cheaters and up playing other cheaters, and because they’re all (presumably) paying customers, then, great!
How do you do this? It varies wildly by game specifics, and platform, so there’s no hard and fast rules. Other than: This is hard, and if you have a competitive online game, make sure to fund a team to work on this just as much as you fund a team working on networking, and staff it appropriately! Not just an engineer, but also a data analyst and a game designer, at a minimum!
2 Likes
Just to make sure, is your game competitive multiplayer, you are hosting the servers, hosting the player accounts, and have staff dedicated to investigating and banning cheat accounts? If not then probably don’t even bother anti-cheat.
Blizzard and Valve are billion dollar corps and can barely stop hackers. Any indie game has zero chance.
Both of these things are completely untrue. I’ve written loads of .NET programs that do this kind of thing.
For C++, there are built in Windows APIs and guides written by Microsoft on how to use them to do this exact task of looping through running processes and getting info from them: Process Enumeration - Win32 apps | Microsoft Learn
Having said that, I agree with what others have said that this is not a reliable way to detect cheats at all
This post nails it in the head. This forum really needs more thorough insightful posts like this one! 
It may be a subjective opinion however I also think that a good means of protection against cheaters is trying to do as much server side as possible, and replicate the bare minimum of the information required to the clients. It’s kind of a double win scenario. You will get better network bandwidth efficiency as well as better cheat resilience at the same time. But of course it’s a double edged sword and can lead to unnecessary overcomplication of game code in some places, and it’s not applicable to all types of games equally.
Not really, if you do it properly you can just check periodically - like once every item acquisition.
Thing is, it adds lag. Depending on what packets are checked.
There’s better technologies/ideas to prevent cheats even on peer to peer. It’s sort of why net code is it’s own profession…
@cw1289
Good luck getting your stuff to run on anything with a basic anti-virus software.
Your exe will likely be jailed before it even has a chance to complete the first scan.
.net programs have a different kind of accessibility - and will still end up in quarantine about 90% of the time.
To avoid it you’d have to be a certified publisher.
Also, literally none of it works without elevation:
“The caller must be a member of the Administrators group to enumerate processes that are running under a different user’s context.”
Games do not run as administrator, and any game requiring you to run as administrator is rejected by most publishers.
What are you going to do? Email zipped folders to clients?
And Obviously any decent cheating software will not be running under the same elevation to prevent just this. They usually do run as administrator.
To spot them you would also have to run the EXE as administrator.
I’m not sure what to tell you man. I literally make a living from writing software that does this kind of thing and none of them have ever been reported as viruses. Why on earth would enumerating processes be malicious? Now if you’re talking about reading from other process’ memory or something like that, fair enough, but just seeing if a particular process is running is a very common task and not even vaguely malicious.
As for needing admin permissions - the OP mentioned cheatengine, which is a GUI program that people do launch from the same user account / security context. So yes, you can detect that without admin permissions.
Have you ever used cheat engine?
It doesn’t usually run without elevation - it does access ram addresses directly…
I don’t want to clutter the OPs thread with this argument so this will be my last reply
You can still enumerate processes that are elevated if you launched them from the same session, which would be the case with cheatengine and a game (assuming your normal user account is an admin so both are running under the same user account but just one is running elevated).
Try it yourself if you don’t believe me. Launch notepad elevated and then from your own non elevated program call the EnumProcesses Win32 API or use the .NET wrapper that just calls that internally (Process.GetProcessesByName). Your program won’t get quarantined by anti virus and it will be able to see the elevated notepad process. Sure, you can’t query much info on it, but you can see that it is running and that’s all the OP asked to do.
By your own example, you are basing this on your development computer.
Unfortunately, this isn’t the case with publishing. If you were to test the same on a PC that didn’t have anything but the Exe and whatever required library the results would differ.
Also, again, you can rename the exe and get around it yourself.
The proper solution is to build a separate background service that has all the proper layers of access (which can also query program header info, like the title of the window or similar. Which is a lot more relevant than the name of the exe).
I don’t know what broken software you’ve been running, but calling EnumProcesses() is not blocked by anything.
HOWEVER the cheat engines generally inject themselves into the DLL chain, and patch the call to hide themselves from the process doing the calling. Which is why you really need a driver to have a chance.
It’s not blocked, but it is completely pointless.
And still chances your exe being placed in quarantine.
Plus, you have to ship psapi.dll along with the game, or rely on the delivery being in place. (You would even with the service probably, if you use that dll for calls).
Not sure how a driver would help detect it in this case, or how it would differ from running a background service like all the major anti cheat softwares do.
The reason for the quarantine is that the exe is accessing things it should not according to most antivirus software, not according to what we think. You can report as a false positive and say it’s up to the user to use a less than tight security.
I’m 90% positive that means you won’t be able to publish via steam or epic…
From Windows 7 onwards, it’s part of Windows. And Windows 7 hasn’t just been around forever, it’s so old it’s now end-of-life.
Because you have access to the kernel-internals API, and it’s not possible to DLL inject into the driver in the same way that you can attach to anything running in user mode. If you’re really baller, you’ll might want to try using the “protected media path” system protections for your anti-cheat software, even, although my experience with that is that it’s about 75% snake oil.
Idk. There’s more than one reported issue of windows 10 missing the dll. Moot point? Valid concern?
Can you even just include the dll without legal issues?
Aside from that, I’d defer to your idea for the kernel. It’s probably a better solution anyway since it’s what battleye and others do.
There is an plugin which takes care of that: Link