In my TDI filter driver, I'm calling the function IoGetRequesterProcessId
(Irp) from a completion routine (of my TDI_CONNECT filter function) and
sometimes I get BSOD of IRQL_NO_LESS_OR_EQUAL (a). Driver verifier is also
running in the background.
I started to analyze the dump, and found that
1. The irp is valid.
2. IoGetRequesterProcessId () calls IoGetProcess() in order to get EPROCESS
structure of the requested process, and the structure I get is invalid (all
structure data is invalid) but IoGetProcess() still returns success to
IoGetRequesterProcessId () !!
The first thing I thought of is that the process was already ended, and
therefore IoGetProcess got an invalid EPROCESS, but how can process be ended
if I still have it's irp in my completion routine?
Another idea is that this function is only supported in IFS ?! (I got it
Thanks for any help, I really need it.