The next code shows how get the parent process filename of a PID, using Delphi.
uses
Psapi,
Windows,
tlhelp32,
SysUtils;
function GetParentProcessFileName(PID : DWORD): String;
var
HandleSnapShot : THandle;
EntryParentProc : TProcessEntry32;
HandleParentProc : THandle;
ParentPID : DWORD;
ParentProcessFound : Boolean;
ParentProcPath : PChar;
begin
ParentProcessFound := False;
HandleSnapShot := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
GetMem(ParentProcPath, MAX_PATH);
try
if HandleSnapShot <> INVALID_HANDLE_VALUE then
begin
EntryParentProc.dwSize := SizeOf(EntryParentProc);
if Process32First(HandleSnapShot, EntryParentProc) then
begin
repeat
if EntryParentProc.th32ProcessID = PID then
begin
ParentPID := EntryParentProc.th32ParentProcessID;
HandleParentProc := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, False, ParentPID);
ParentProcessFound:= HandleParentProc <> 0;
if ParentProcessFound then
begin
GetModuleFileNameEx(HandleParentProc, 0, PChar(ParentProcPath), MAX_PATH);
ParentProcPath := PChar(ParentProcPath);
CloseHandle(HandleParentProc);
end;
break;
end;
until not Process32Next(HandleSnapShot, EntryParentProc);
end;
CloseHandle(HandleSnapShot);
end;
if ParentProcessFound then
Result := ParentProcPath
else
Result := '';
finally
FreeMem(ParentProcPath);
end;
end;
The Road to Delphi 
April 17, 2012 at 4:13 pm
The process ID variable needs to be declared as DWORD rather than THandle
April 17, 2012 at 4:31 pm
Thanks, code edited.