I’ve been reading a lot of questions and articles about this, and have read:
http://www.osronline.com/article.cfm?article=472
The article is from 2006, so is ZwQueryInformationProcess still the best way
to get a process name (image filename) from a filter driver for Windows 2003
on up through 2008?
The undocumented PsGetProcessImageFileName is also mentioned often, but I
hate the idea of relying on an undocumented function.
Thanks for any suggestions.
Doug
Sticking with documented APIs is the way to go. You could also register
for an ImageLoadCallback routine and be notified what modules are loaded
for any given process. The first image loaded is generally the
executable image and you’ll be notified for all other modules loaded for
that process. Using this information you can determine in PreCreate what
executable is the calling process.
Pete
On 4/6/2012 11:47 AM, Doug wrote:
I’ve been reading a lot of questions and articles about this, and have read:
http://www.osronline.com/article.cfm?article=472
The article is from 2006, so is ZwQueryInformationProcess still the best
way to get a process name (image filename) from a filter driver for
Windows 2003 on up through 2008?The undocumented PsGetProcessImageFileName is also mentioned often, but
I hate the idea of relying on an undocumented function.Thanks for any suggestions.
Doug
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Thanks for the feedback Pete.
To make sure I’m understanding you correctly, you’re suggesting using
PsSetLoadImageNotifyRoutine which will cause a call into the driver with a
PID and image path. Then I guess I’d need to keep a PID->imagePath mapping
around so that in PreCreate, I could grab the PID and look up the image
name, right?
My concern is keeping that mapping table up to date. It doesn’t look like
there are any notifications when an image is unloaded. I suppose I could
just keep it around (how large could it grow??) but then how do I know that
image is loaded “first” (it’s easy to tell if the PID isn’t in the map, but
if the PID is re-used, how do I know which is loaded first in that case)?
Doug
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Scott
Sent: Friday, April 06, 2012 1:06 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Getting process name from filter driver
Sticking with documented APIs is the way to go. You could also register for
an ImageLoadCallback routine and be notified what modules are loaded for any
given process. The first image loaded is generally the executable image and
you’ll be notified for all other modules loaded for that process. Using this
information you can determine in PreCreate what executable is the calling
process.
Pete
On 4/6/2012 11:47 AM, Doug wrote:
I’ve been reading a lot of questions and articles about this, and have
read:http://www.osronline.com/article.cfm?article=472
The article is from 2006, so is ZwQueryInformationProcess still the best
way to get a process name (image filename) from a filter driver for
Windows 2003 on up through 2008?The undocumented PsGetProcessImageFileName is also mentioned often, but
I hate the idea of relying on an undocumented function.Thanks for any suggestions.
Doug
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
You can also register PsSetCreateProcessNotifyRoutine to get process
terminations, and clear out the PID->imagepath mapping.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Doug Nebeker” wrote in message news:xxxxx@ntfsd:
> Thanks for the feedback Pete.
>
> To make sure I’m understanding you correctly, you’re suggesting using
> PsSetLoadImageNotifyRoutine which will cause a call into the driver with a
> PID and image path. Then I guess I’d need to keep a PID->imagePath mapping
> around so that in PreCreate, I could grab the PID and look up the image
> name, right?
>
> My concern is keeping that mapping table up to date. It doesn’t look like
> there are any notifications when an image is unloaded. I suppose I could
> just keep it around (how large could it grow??) but then how do I know that
> image is loaded “first” (it’s easy to tell if the PID isn’t in the map, but
> if the PID is re-used, how do I know which is loaded first in that case)?
>
> Doug
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Peter Scott
> Sent: Friday, April 06, 2012 1:06 PM
> To: Windows File Systems Devs Interest List
> Subject: Re: [ntfsd] Getting process name from filter driver
>
>
> Sticking with documented APIs is the way to go. You could also register for
> an ImageLoadCallback routine and be notified what modules are loaded for any
> given process. The first image loaded is generally the executable image and
> you’ll be notified for all other modules loaded for that process. Using this
> information you can determine in PreCreate what executable is the calling
> process.
>
> Pete
>
> On 4/6/2012 11:47 AM, Doug wrote:
> > I’ve been reading a lot of questions and articles about this, and have
> read:
> >
> > http://www.osronline.com/article.cfm?article=472
> >
> > The article is from 2006, so is ZwQueryInformationProcess still the best
> > way to get a process name (image filename) from a filter driver for
> > Windows 2003 on up through 2008?
> >
> > The undocumented PsGetProcessImageFileName is also mentioned often, but
> > I hate the idea of relying on an undocumented function.
> >
> > Thanks for any suggestions.
> >
> > Doug
> >
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > For our schedule of debugging and file system seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com
> 866.263.9295
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
Brilliant! (I was even looking at that API but didn’t put the two together.
Sigh…)
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Friday, April 06, 2012 5:02 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Getting process name from filter driver
You can also register PsSetCreateProcessNotifyRoutine to get process
terminations, and clear out the PID->imagepath mapping.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Doug Nebeker” wrote in message news:xxxxx@ntfsd:
> Thanks for the feedback Pete.
>
> To make sure I’m understanding you correctly, you’re suggesting using
> PsSetLoadImageNotifyRoutine which will cause a call into the driver with a
> PID and image path. Then I guess I’d need to keep a PID->imagePath
mapping
> around so that in PreCreate, I could grab the PID and look up the image
> name, right?
>
> My concern is keeping that mapping table up to date. It doesn’t look like
> there are any notifications when an image is unloaded. I suppose I could
> just keep it around (how large could it grow??) but then how do I know
that
> image is loaded “first” (it’s easy to tell if the PID isn’t in the map,
but
> if the PID is re-used, how do I know which is loaded first in that case)?
>
> Doug
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Peter Scott
> Sent: Friday, April 06, 2012 1:06 PM
> To: Windows File Systems Devs Interest List
> Subject: Re: [ntfsd] Getting process name from filter driver
>
>
> Sticking with documented APIs is the way to go. You could also register
for
> an ImageLoadCallback routine and be notified what modules are loaded for
any
> given process. The first image loaded is generally the executable image
and
> you’ll be notified for all other modules loaded for that process. Using
this
> information you can determine in PreCreate what executable is the calling
> process.
>
> Pete
>
> On 4/6/2012 11:47 AM, Doug wrote:
> > I’ve been reading a lot of questions and articles about this, and have
> read:
> >
> > http://www.osronline.com/article.cfm?article=472
> >
> > The article is from 2006, so is ZwQueryInformationProcess still the best
> > way to get a process name (image filename) from a filter driver for
> > Windows 2003 on up through 2008?
> >
> > The undocumented PsGetProcessImageFileName is also mentioned often, but
> > I hate the idea of relying on an undocumented function.
> >
> > Thanks for any suggestions.
> >
> > Doug
> >
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > For our schedule of debugging and file system seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com
> 866.263.9295
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer