Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Can we make registry calls from PCREATE_PROCESS_NOTIFY_ROUTINE_EX callback routine?

yogeshrkhedkaryogeshrkhedkar Member Posts: 6

Can we make registry operations within PCREATE_PROCESS_NOTIFY_ROUTINE_EX function?
I want to store process specific information in the registry.

Comments

  • Vadim_SirotnikovVadim_Sirotnikov Member Posts: 28

    I'm not aware of anything preventing you from this.
    I would add some mechanism to avoid a loopback - in case you're also monitoring registry operations, check to see that you don't end up filtering calls you initiated yourself.

  • yogeshrkhedkaryogeshrkhedkar Member Posts: 6

    In best practices, Microsoft recommends not to use registry calls.
    https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/windows-kernel-mode-process-and-thread-manager

    Is there any potential issue occurs if we make registry calls from PCREATE_PROCESS_NOTIFY_ROUTINE_EX routine?

  • Sourabh_ArvikarSourabh_Arvikar Member Posts: 75

    @yogeshrkhedkar,

    Which registry operations you will be doing?
    Yup, MSDN clearly mentioned not to do any registry operations and many more, but I think those are guidelines (as per documentation) not RULES.
    I believe there are many security products which register with a system for process creation, and in the event callback, they validate the current process using their user mode component to allow or block that process.

    So I believe you can do registry operations.
    If operations are going to be heavy and you desire to follow the guideline then spawn system thread to do work.

    Happy Coding :)

  • yogeshrkhedkaryogeshrkhedkar Member Posts: 6

    Thank you, Sourabh!
    The operations are not heavy but I am worried only because of the guidelines from Microsoft.
    Also based on the guidelines spawning the thread is not an option since I have to do the stuff inline and will have to wait in the callback which again is not recommended by Microsoft.

    Can someone from Microsoft confirm and help in this context?

  • Martin_DrábMartin_Dráb Member - All Emails Posts: 81

    The operations are not heavy but I am worried only because of the guidelines from Microsoft.

    Also based on the guidelines spawning the thread is not an option since I have to do the stuff inline and will have to wait in the callback which again is not recommended by Microsoft.

    These guidelines can usually be translated as "doing some of these may lead to deadlock if you are not careful". For example, you may wait for an usermode component in the process notify ex callback, however, that usermode component must really know what it is doing (and SHOULD not perform any complex operation because some internal locks may be held).

    So, just be careful and do more testing and all should be fine.

    That's my experience at least.

    Martin Dráb

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA