Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Active Process intervals

ramchandra24ramchandra24 Member Posts: 11

How to write a Kernel driver to record active intervals (begin, end) of each process?
Does KMDF provide callbacks for the same?

Comments

  • Don_BurnDon_Burn Member - All Emails Posts: 1,653
    via Email
    Take a look at PsSetCreateProcessNotifyRoutineEx


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com
  • ramchandra24ramchandra24 Member Posts: 11

    Thanks, Don! I'm currently using the PsSetCreateProcessNotifyRoutineEx to record whenever a new process/thread is created/destroyed. Along with this, I want to log when a process/thread is being actively used by the user.

    The assumption I'm making here is that the Windows scheduling works on a priority basis, and there are idle times when a process is not actively being used by the user.

    Although, it may not be possible to log all time slices allocated to the process, Is there a way I can find out when a process makes I/O calls etc.?

  • anton_bassovanton_bassov Member Posts: 5,010

    Along with this, I want to log when a process/thread is being actively used by the user.

    I would say that this part should be rather accomplished in the userland with SetWindowsHookEx(), GetFocus() et al,rather than in the kernel.....

    The assumption I'm making here is that the Windows scheduling works on a priority basis, and there are idle times when
    a process is not actively being used by the user.

    Well, interactive processes/threads tend to spend most of their time in inactive state, waiting for an input and/or IO completion. It has nothing to do with thread priority - this part comes into the play only when the target thread becomes active (because you can have multiple active threads at any particular moment, but only one of them may actually occupy CPU at the moment)....

    Is there a way I can find out when a process makes I/O calls etc

    Check Mr.Tippet's post concerning a port of DTrace to Windows - this part seems to be really exciting and promising....

    Anton Bassov

  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
    via Email
    What is the overarching problem that you are attempting to solve ?

    - S (Msft)
  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
    via Email
    What is the overarching problem that you are attempting to solve ?

    - S (Msft)
  • ramchandra24ramchandra24 Member Posts: 11
    edited March 21

    I'm writing a kernel driver to record what processes a user uses, and at what times. I am trying to record the intervals when the process is actively being used by the user.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,265

    I am trying to record the intervals when the process is actively being used by the user

    Tough ask. How do you determine "when the process is actively being used"? If I kick-off a Build All of a large solution, and I iconify Visual Studio... is that process "actively being used"? If I start some streaming audio app, and I go do some work on anything system... is that process "actively being used"?

    Yeah... tough concept. I'm not sure it's one that makes any sense, actually.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • ramchandra24ramchandra24 Member Posts: 11

    I want to consider a process active as long as it is making syscalls.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,265

    Hmmmm... "active" != "actively being used by a user" (consider all the various services/daemons in a system) and "active as long as it is making syscalls" surely means "actively making new syscalls" ... Given that ZwWaitForSingleObject on an unsignalled dispatcher object leaves a process "actively making a syscall"... So, why not just look at changes in use in CPU time or something? Periodically look at all the processes that are running and see if CurrentCPUTime != LastSeenCPUTime?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,004
    via Email
    ramchandra24 wrote:
    > I want to consider a process active as long as it is making syscalls.

    I find that a very odd definition.  Let me posit some scenarios to get
    you to think about what you're asking.

    Let's say I have 4 processes:

    * I have Word in the foreground, making changes
    * I have Excel in the background
    * I have a compute-bound task in the background
    * I have started a big robocopy to a USB drive

    So, which of these are "active" for your purpose?  #1 has the input
    focus, but it's not using much CPU time.  It spends most of its time
    waiting for keyboard and mouse messages.  #2 is running, but blocked
    waiting for input messages.  #3 is actively consuming CPU time, but not
    making syscalls.  #4 is actively making I/O requests, but does not have
    input focus.

    So, what statistics are you trying to gather?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • ramchandra24ramchandra24 Member Posts: 11

    I was under the impression that we cannot acquire CPU access times of processes. So, the idea was to capture whenever processes make I/O calls. In the above scenario, I would want to record the times when Word gets user-input, and the robocopy I/O timestamps.

    Do we have access to CPU times of a process?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,265

    I was under the impression that we cannot acquire CPU access times of processes

    Well, it's gotta be possible, right? I mean... you've seen Task Manager.

    How about GetProcessTimes?

    would want to record the times when Word gets user-input, and the robocopy I/O timestamps

    I'm sorry... I don't even understand what that means.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • anton_bassovanton_bassov Member Posts: 5,010

    In the above scenario, I would want to record the times when Word gets user-input,

    As I told you already, this part should be done in the userland. For example, SetWindowsHookEx() has been designed exactly
    for this purpose - it allows you to trace all window messages that the windows of your target process (in this particular case,
    of MSFT Word) receive. Therefore, you will be in a position to trace all kbd and mouse activity, as well as the precise timing of these events....

    and the robocopy I/O timestamps.

    ....and this one with FS filter driver.

    Anton Bassov

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA