Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

System call records

ramchandra24ramchandra24 Member Posts: 11
edited March 14 in NTDEV

How to develop a kernel driver to record the timestamps when each process/thread makes a system call?
Does KMDF provide any callbacks for this?

Comments

  • Jeffrey_Tippet_[MSFT]Jeffrey_Tippet_[MSFT] Member - All Emails Posts: 527

    The upcoming version of Windows supports DTrace, which makes this trivially easy; I think your solution would come down to just 1 line of code, if you can use DTrace in your environment. Instructions: https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/DTrace-on-Windows/ba-p/362902

    Otherwise, we don't support hooking all syscalls. There are mechanisms to filter specific types of syscalls, e.g., you can install a filesystem filter, or a registry callback.

  • ramchandra24ramchandra24 Member Posts: 11
    edited March 14

    Thank you, Jeffrey! I'm basically interested in finding out the timestamps when a process is active, and for how long. I thought recording syscalls made by the process is one way to find out. Is there any other way I can achieve this?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA