Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
How to develop a kernel driver to record the timestamps when each process/thread makes a system call?
Does KMDF provide any callbacks for this?
The upcoming version of Windows supports DTrace, which makes this trivially easy; I think your solution would come down to just 1 line of code, if you can use DTrace in your environment. Instructions: https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/DTrace-on-Windows/ba-p/362902
Otherwise, we don't support hooking all syscalls. There are mechanisms to filter specific types of syscalls, e.g., you can install a filesystem filter, or a registry callback.
Thank you, Jeffrey! I'm basically interested in finding out the timestamps when a process is active, and for how long. I thought recording syscalls made by the process is one way to find out. Is there any other way I can achieve this?
It looks like you're new here. If you want to get involved, click one of these buttons!