I was using NtQueryProcessInformation to get the PEB of a process, and then using its pointer to the RTL_USER_PROCESS_PARAMETERS to find the command line of the process. But I discovered something, the MSDN description of the RTL_USER_PROCESS_PARAMETERS structure is wrong. It indicates you need to skip the first 16 bytes, and then the next 10 dwords (56 bytes total) to get to the strings in question. There's 2 things wrong with this though. First, you actually need to skip 60 bytes (16 bytes, and then 11 dwords), in order to get to the info you want. But unlike the description on https://docs.microsoft.com/en-us/win...ess_parameters you actually don't get to those values directly in the structure. Instead, you get to a pointer. And it isn't 2 pointers (one for each string). Instead there's one pointer that points to the first string, and then there's a null character separator between the 2 strings (and a null character as the terminator after the second string).