Hi, guys. I’d like to get an explanation about the following issue.
I have three kernel mode drivers. First - event buffer driver, second - process monitor driver, third - minifilter driver. Process monitor driver sends events to the event buffer driver from its CREATE_PROCESS_NOTIFY_ROUTINE. Minifilter driver sends events to the event buffer driver from its post-read operation handler. All operations with the event buffer are synchronized.
Today i have noticed interesting situation - post-read event that occured in a context of some process was put in event buffer before process start event of the same process. I’d like to add that post-read event i mentioned above was about reading c:\windows\prefetch\someprocess.exe-xxxxx.pf by process c:\someprocess.exe.
So how it could happen that post-read was handled in the context of a process whose CREATE_PROCESS_NOTIFY_ROUTINE was not completed?