File reading before process start notification

Mikhail_Kulkov · July 20, 2017, 9:33am

Hi, guys. I’d like to get an explanation about the following issue.

I have three kernel mode drivers. First - event buffer driver, second - process monitor driver, third - minifilter driver. Process monitor driver sends events to the event buffer driver from its CREATE_PROCESS_NOTIFY_ROUTINE. Minifilter driver sends events to the event buffer driver from its post-read operation handler. All operations with the event buffer are synchronized.
Today i have noticed interesting situation - post-read event that occured in a context of some process was put in event buffer before process start event of the same process. I’d like to add that post-read event i mentioned above was about reading c:\windows\prefetch\someprocess.exe-xxxxx.pf by process c:\someprocess.exe.

So how it could happen that post-read was handled in the context of a process whose CREATE_PROCESS_NOTIFY_ROUTINE was not completed?

Scott_Noone_OSR · July 20, 2017, 7:38pm

Doesn’t sound right to me…Are you 100% sure of the order of your log entries? Also, which O/S version?

-scott
OSR
@OSRDrivers

Mikhail_Kulkov · July 21, 2017, 6:20am

Windows 7 x64 SP1. It was the only accident for several months. Besides while putting event in a buffer i add current time to event and post-read had really earlier time. I experimented with delaying CREATE_PROCESS_NOTIFY_ROUTINE and the event sequence was always fine so i failed in reproducing of this issue.

Slava_Imameev · July 21, 2017, 7:46am

I would guess that KeStackAttachProcess was involved.