Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

There's a new issue of The NT Insider available


Sept/Oct 2019 Issue: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Can we make registry calls from PCREATE_PROCESS_NOTIFY_ROUTINE_EX callback routine?

yogeshrkhedkaryogeshrkhedkar Member Posts: 6

Can we make registry operations within PCREATE_PROCESS_NOTIFY_ROUTINE_EX function?
I want to store process specific information in the registry.

Comments

  • Vadim_SirotnikovVadim_Sirotnikov Member Posts: 28

    I'm not aware of anything preventing you from this.
    I would add some mechanism to avoid a loopback - in case you're also monitoring registry operations, check to see that you don't end up filtering calls you initiated yourself.

  • yogeshrkhedkaryogeshrkhedkar Member Posts: 6

    In best practices, Microsoft recommends not to use registry calls.
    https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/windows-kernel-mode-process-and-thread-manager

    Is there any potential issue occurs if we make registry calls from PCREATE_PROCESS_NOTIFY_ROUTINE_EX routine?

  • Sourabh_ArvikarSourabh_Arvikar Member Posts: 75

    @yogeshrkhedkar,

    Which registry operations you will be doing?
    Yup, MSDN clearly mentioned not to do any registry operations and many more, but I think those are guidelines (as per documentation) not RULES.
    I believe there are many security products which register with a system for process creation, and in the event callback, they validate the current process using their user mode component to allow or block that process.

    So I believe you can do registry operations.
    If operations are going to be heavy and you desire to follow the guideline then spawn system thread to do work.

    Happy Coding :)

  • yogeshrkhedkaryogeshrkhedkar Member Posts: 6

    Thank you, Sourabh!
    The operations are not heavy but I am worried only because of the guidelines from Microsoft.
    Also based on the guidelines spawning the thread is not an option since I have to do the stuff inline and will have to wait in the callback which again is not recommended by Microsoft.

    Can someone from Microsoft confirm and help in this context?

  • Martin_DrábMartin_Dráb Member - All Emails Posts: 61

    The operations are not heavy but I am worried only because of the guidelines from Microsoft.

    Also based on the guidelines spawning the thread is not an option since I have to do the stuff inline and will have to wait in the callback which again is not recommended by Microsoft.

    These guidelines can usually be translated as "doing some of these may lead to deadlock if you are not careful". For example, you may wait for an usermode component in the process notify ex callback, however, that usermode component must really know what it is doing (and SHOULD not perform any complex operation because some internal locks may be held).

    So, just be careful and do more testing and all should be fine.

    That's my experience at least.

    Martin Dráb

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE