(First contact at that new site … but had to register again)
Short:
How to check existence of a known process after receiving a ProcessNotifyRoutine callback?
Long:
In a KMDF driverm I’ve a problem with ProcessNotifyRoutine and PsLookupProcessByProcessId()
I debugged down to this:
- The driver registers a ProcessNotifyRoutine callback with PsSetCreateProcessNotifyRoutine()
- an app “myProcess” is started, and connects to the driver with its ProcessID, which is saved as “myProcessId”.
- … regular operation …
- myProcess is killed in the Taskmanager the unfriendly way.
- The ProcessNotifyRoutine gets called. It calls PsLookupProcessByProcessId(myProcessId) to check whether myProcessId is still valid.
- Despite the callback was triggered by kill of myProcess, PsLookupProcessByProcessId(myProcessId) still returns an EPROCESS pointer with NT_SUCCESS.
So the driver falsly assumes myProcess is still running.
That problem came up somewhere between Win10 1803 and 1809, it worked before.
Perhaps I must interpret the PEPROCESS struct returned by PsLookupProcessByProcessId() to get info about the process status, but it is documented as “opaque”.
Thanks for caring,
Joerg, PEAK System Technik