Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Notification of kernel objects creation by any process on system

hkborlehkborle Member Posts: 1

We have file system driver. We want to get notified for "Kernel object" created by any process.

Is there any way to receive notification in kernel mode?

Comments

  • Mauro_LeggieriMauro_Leggieri Member Posts: 76

    Mmmm kernel objects can only be created by the kernel. Do you mean an user-mode handle? If yes, you can only track process and thread handles as far as I know.

  • anton_bassovanton_bassov Member Posts: 5,043

    kernel objects can only be created by the kernel

    True, but the kernel may (and in most cases does) create these objects (i.e. processes, threads, synch objects, file objects,etc) in response to the requests from the userland. I think this is what the OP is asking about.

    If yes, you can only track process and thread handles as far as I know.

    According to Mr.Tippet, there is a DTRACE Windows port that is available on the Github. I am not 100% sure it is going to be of help, but the OP may want to investigate this direction....

    Anton Bassov

  • Mauro_LeggieriMauro_Leggieri Member Posts: 76
    edited September 7

    True, but the kernel may (and in most cases does) create these objects (i.e. processes, threads, synch objects, file objects,etc) in response to the requests from the userland. I think this is what the OP is asking about.

    Probably. He would be able to monitor files and registry access too.

    According to Mr.Tippet, there is a DTRACE Windows port that is available on the Github. I am not 100% sure it is going to be of help, but the OP may want to investigate this direction....

    Saw it and seems abandoned and undocumented. I saw some new routines to assist Windows Defender (fair competition :( ) but, unless it is convenient for Microsoft, I doubt they put some effort to add useful features for us.

  • anton_bassovanton_bassov Member Posts: 5,043

    Saw it and seems abandoned and undocumented.....

    IIRC, Jeffrey seemed to be of much higher opinion of it

    .... unless it is convenient for Microsoft, I doubt they put some effort to add useful features for us.

    I dunno, but according to Jeffrey, it is going to be included in the future Windows releases, and will come as an integrated part of the system.

    In other words, you may be dismissing it too hastily.....

    Anton Bassov

  • Mauro_LeggieriMauro_Leggieri Member Posts: 76

    Well I'll expect they do and document access/usage.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE