I am using NtQueryInformationProcess() to retrieve the command line of another process (via the RTL_USER_PROCESS_PARAMETERS in the PEB returned by NtQueryInformationProcess()) on Windows 7.
This generally works fine, but when multiple instances of the same executable are started the command line string is the same for all instances: it always is the command line of the first instance that was started. GetCommandLine() returns the correct command line for each process though.
Can someone confirm or falsify this?
What you are probably missing is that each pointer in PEB is only relevant in address space of the PEB's process rather than the process that called NtQueryInformationProcess and retrieved the PEB. You have to use ReadProcessMemory to derference pointers. Otherwise, since processes are likely to be laid out similarly, you end up reading the command line of the NtQueryInformationProcess caller and not that of the PEB's process.
I can confirm that Using NtQueryInformationProcess and ReadProcessMemory for each level of pointer indirection you can get command lines of all processes correctly. See https://stackoverflow.com/a/13408150/1236546 for source code example.