Add Process constructor accepting SafeProcessHandle and optional stream handles

[Copilot]

Adds a new public Process constructor that creates instances from user-provided safe handles, enabling advanced interop scenarios where users call CreateProcess (or equivalent) directly but still want Process class features like async stream reading and WaitForExit.

Description

API Addition

public Process(
    SafeProcessHandle processHandle,
    ProcessStartInfo startInfo,
    SafeFileHandle? standardInput = null,
    SafeFileHandle? standardOutput = null,
    SafeFileHandle? standardError = null)

On Windows, standardOutput and standardError handles must be opened for asynchronous I/O (IsAsync == true); an ArgumentException is thrown otherwise. The processHandle must be valid (IsInvalid == false); an ArgumentException is thrown otherwise. The caller transfers ownership of the standard stream handles to the Process instance — they will be disposed when the Process is disposed.

Changes

• Ref assembly (ref/System.Diagnostics.Process.cs): New constructor signature
• Implementation (Process.cs): Constructor wires up handle, process ID, and wraps optional file handles into StreamWriter/StreamReader using existing OpenStream + encoding logic. Validates that processHandle is valid, that standardOutput/standardError handles are async on Windows, and that processHandle/startInfo are non-null. ProcessStartInfo is mandatory (with ArgumentNullException) to prevent StartInfo.get from throwing on an associated process.
• Tests (ProcessHandlesTests.Windows.cs):
  • Extracted CreateProcessWithHandles static helper reused by both RunWithHandles and the new test
  • Added INVALID_HANDLE_VALUE constant to replace magic numbers
  • Added ProcessStartedWithAnonymousPipeHandles_CanCaptureOutput test: creates async anonymous pipes, enables inheritance, spawns child process, wraps read handles in new Process ctor, uses ReadAllText() to assert captured stdout/stderr
  • Added ProcessConstructor_NonAsyncHandle_ThrowsArgumentException [Theory] test for IsAsync validation of both stdout and stderr
• Resources (Strings.resx): Added Argument_HandleNotAsync error message

Usage Example

SafeFileHandle.CreateAnonymousPipe(out SafeFileHandle readHandle, out SafeFileHandle writeHandle, asyncRead: true);
// ... CreateProcess with writeHandle as hStdOutput ...

using Process process = new(safeProcessHandle, new ProcessStartInfo(), standardOutput: readHandle);
(string stdout, string stderr) = process.ReadAllText();

[adamsitnik]

@copilot address my feedback

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-diagnostics-process
See info in area-owners.md if you want to be subscribed.

[Copilot]

@copilot address my feedback

Done in a53a1fc. All three items addressed:

• Simplified _startInfo assignment (removed unnecessary null check)
• Used INVALID_HANDLE_VALUE constant instead of (nint)(-1) magic numbers
• Extracted CreateProcessWithHandles helper that's reused by both RunWithHandles and the new test

[adamsitnik]

@copilot address my feedback

[Copilot]

@copilot address my feedback

Done in a6488fc. Changes:

• Added asyncRead: true to CreateAnonymousPipe calls
• Replaced ReadToEnd with process.ReadAllText()
• Added IsAsync validation for standardOutput/standardError on Windows (throws ArgumentException if not async)

[adamsitnik]

@copilot address my feedback

[Copilot]

@copilot address my feedback

All feedback addressed in b7cc712:

• ProcessStartInfo is now a mandatory second parameter with ArgumentNullException validation
• Restored GetSafeFileHandleId that was incorrectly removed
• Added XML docs documenting handle ownership transfer
• Added tests for IsAsync validation (ProcessConstructor_NonAsyncOutputHandle_ThrowsArgumentException and ProcessConstructor_NonAsyncErrorHandle_ThrowsArgumentException)

[adamsitnik]

@copilot address my feedback

[Copilot]

@copilot address my feedback

All addressed in 41ae4c8:

• Merged the two IsAsync tests into a [Theory] with [InlineData(true/false)]
• Removed trailing empty line
• Added processHandle.IsInvalid validation (throws ArgumentException)

[jkotas]

This is robust only if you control all other process starts that may be done by the current process.

If I am reading this correctly, this will create inheritable handles in the main test process without synchronizing with other process starts and so the handles may get accidently inherited by other processes. Is this test going to be flaky because of that?

Also, do the docs need to mention all gotchas about inherited handles and how the user code is expected to deal with them? I am not sure whether this API is the best way to address the end-to-end scenario once you take all the gotchas into account.

[adamsitnik]

This is robust only if you control all other process starts that may be done by the current process.

I agree, but this is true for all ways of starting processes on Windows (the standard handles always need to be inheritable).

If I am reading this correctly, this will create inheritable handles in the main test process without synchronizing with other process starts and so the handles may get accidently inherited by other processes.

Correct.

Is this test going to be flaky because of that?

All process tests are executed sequentially, so not for now.

runtime/src/libraries/System.Diagnostics.Process/tests/AssemblyInfo.cs

Lines 6 to 8 in 41ae4c8

	// Process tests can conflict with each other, as they modify ambient state
	// like the console code page and environment variables
	[assembly: CollectionBehavior(CollectionBehavior.CollectionPerAssembly)]

Also, do the docs need to mention all gotchas about inherited handles and how the user code is expected to deal with them?

They don't for now (but this can be ofc fixed).

I am not sure whether this API is the best way to address the end-to-end scenario once you take all the gotchas into account.

The alternative is to let the users pass the windows process attributes (and creation flags?) via ProcessStartInfo, something that we have discussed offline a while ago that would be passed to UpdateProcThreadAttribute:

public List<(int attribute, GCHandle value, nint byteSize)> ProcessAttributes { get; set; }

But it has one major limitation: it would support only the CreateProcess sys-call. So for example if the user wanted to use CreateProcessAsUser to implement #128378, this would not work.

[jkotas]

alternative

I think there are more alternatives. For example, we can allow user to provide a callback that receives some of the arguments prepared for the Win32 API invocation, the user provided callback combines these arguments with their custom options and invokes the Win32 APIs of their choice.

[adamsitnik]

For example, we can allow user to provide a callback that receives some of the arguments prepared for the Win32 API invocation

There are few simple arguments that such callback would need to accept that would be easy to implement:

• pointer to the command line string (char*)
• pointer to new environment block (char*)
• pointer to current directory name (char*)
• handle inheritance flag (bool)
• creation flags (int)

But advanced usages like the use case described by the customer in #71595 (comment)

I'm currently using JobObjects to limit CPU time and RAM. But I'd also like to restrict file and network access.
So, I need to use CreateRestrictedToken (or simular) API with Process capturing capabilities.

would also require us to expose STARTUPINFO and STARTUPINFOEX.

Moreover, really advanced scenarios like specifying Jobs would be still very tricky to get right together with all our existing APIs. For example, to provide Jobs, we need to specify the count up-front to allocate the right size of a buffer:

runtime/src/libraries/System.Diagnostics.Process/src/Microsoft/Win32/SafeHandles/SafeProcessHandle.Windows.cs

Line 530 in 2f69afe

jobHandles = (IntPtr*)NativeMemory.Alloc(1, (nuint)sizeof(IntPtr));

The same is true for attribute count:

runtime/src/libraries/System.Diagnostics.Process/src/Microsoft/Win32/SafeHandles/SafeProcessHandle.Windows.cs

Lines 499 to 500 in 2f69afe

	// Determine the number of attributes we need to set in the proc thread attribute list.
	int attributeCount = 0;

And some of the Windows sys-calls used for spawning processes don't support STARTUPINFOEX with lpAttributeList (CreateProcessWithTokenW docs mention STARTUPINFOEX, but they don't mention that EXTENDED_STARTUPINFO_PRESENT is not supported anyway.). So in certain situations users would need to ignore some of the input we provide (like the attribute/job list) and start a suspended process, then add the jobs, resume the process and all of that like we do here

@jkotas from my perspective asking the users to deal with handle inheritance is lesser evil compared to exposing all the Win32 contracts and trying to provide a callback that would support all scenarios.

Also the proposed ctor could work on Unix as well. As users could just somehow spawn the process, use SafeProcessHandle.Open and give us the SPH and the pipe handles.

[jkotas]

would also require us to expose STARTUPINFO and STARTUPINFOEX

I do not think we need to expose these structures. We can prepare the stdin/stdout/stderr handles, command line, environment, take the process create lock, and leave everything else to be provided by the user. They can supply their own definition of the PInvoke and all structures that the PInvoke needs. For example, if they want to start a process with custom job settings, they can do it all on their own.

Also the proposed ctor could work on Unix as well.

I would like to see what a "done" state looks like for the long tail of process APIs features. I do not think we want to be on the feature creep path (adding an API for every niche feature somebody asks for) that we are on currently. I do not have a fundamental problem with a few more APIs if we think that the use case is common enough.