Active Process intervals

How to write a Kernel driver to record active intervals (begin, end) of each process?
Does KMDF provide callbacks for the same?

Take a look at PsSetCreateProcessNotifyRoutineEx

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

Thanks, Don! I’m currently using the PsSetCreateProcessNotifyRoutineEx to record whenever a new process/thread is created/destroyed. Along with this, I want to log when a process/thread is being actively used by the user.

The assumption I’m making here is that the Windows scheduling works on a priority basis, and there are idle times when a process is not actively being used by the user.

Although, it may not be possible to log all time slices allocated to the process, Is there a way I can find out when a process makes I/O calls etc.?

Along with this, I want to log when a process/thread is being actively used by the user.

I would say that this part should be rather accomplished in the userland with SetWindowsHookEx(), GetFocus() et al,rather than in the kernel…

The assumption I’m making here is that the Windows scheduling works on a priority basis, and there are idle times when
a process is not actively being used by the user.

Well, interactive processes/threads tend to spend most of their time in inactive state, waiting for an input and/or IO completion. It has nothing to do with thread priority - this part comes into the play only when the target thread becomes active (because you can have multiple active threads at any particular moment, but only one of them may actually occupy CPU at the moment)…

Is there a way I can find out when a process makes I/O calls etc

Check Mr.Tippet’s post concerning a port of DTrace to Windows - this part seems to be really exciting and promising…

Anton Bassov

What is the overarching problem that you are attempting to solve ?

  • S (Msft)

What is the overarching problem that you are attempting to solve ?

  • S (Msft)

I’m writing a kernel driver to record what processes a user uses, and at what times. I am trying to record the intervals when the process is actively being used by the user.

I am trying to record the intervals when the process is actively being used by the user

Tough ask. How do you determine “when the process is actively being used”? If I kick-off a Build All of a large solution, and I iconify Visual Studio… is that process “actively being used”? If I start some streaming audio app, and I go do some work on anything system… is that process “actively being used”?

Yeah… tough concept. I’m not sure it’s one that makes any sense, actually.

Peter

I want to consider a process active as long as it is making syscalls.

Hmmmm… “active” != “actively being used by a user” (consider all the various services/daemons in a system) and “active as long as it is making syscalls” surely means “actively making new syscalls” … Given that ZwWaitForSingleObject on an unsignalled dispatcher object leaves a process “actively making a syscall”… So, why not just look at changes in use in CPU time or something? Periodically look at all the processes that are running and see if CurrentCPUTime != LastSeenCPUTime?

Peter

ramchandra24 wrote:

I want to consider a process active as long as it is making syscalls.

I find that a very odd definition.  Let me posit some scenarios to get
you to think about what you’re asking.

Let’s say I have 4 processes:

* I have Word in the foreground, making changes
* I have Excel in the background
* I have a compute-bound task in the background
* I have started a big robocopy to a USB drive

So, which of these are “active” for your purpose?  #1 has the input
focus, but it’s not using much CPU time.  It spends most of its time
waiting for keyboard and mouse messages.  #2 is running, but blocked
waiting for input messages.  #3 is actively consuming CPU time, but not
making syscalls.  #4 is actively making I/O requests, but does not have
input focus.

So, what statistics are you trying to gather?

I was under the impression that we cannot acquire CPU access times of processes. So, the idea was to capture whenever processes make I/O calls. In the above scenario, I would want to record the times when Word gets user-input, and the robocopy I/O timestamps.

Do we have access to CPU times of a process?

I was under the impression that we cannot acquire CPU access times of processes

Well, it’s gotta be possible, right? I mean… you’ve seen Task Manager.

How about GetProcessTimes?

would want to record the times when Word gets user-input, and the robocopy I/O timestamps

I’m sorry… I don’t even understand what that means.

Peter

In the above scenario, I would want to record the times when Word gets user-input,

As I told you already, this part should be done in the userland. For example, SetWindowsHookEx() has been designed exactly
for this purpose - it allows you to trace all window messages that the windows of your target process (in this particular case,
of MSFT Word) receive. Therefore, you will be in a position to trace all kbd and mouse activity, as well as the precise timing of these events…

and the robocopy I/O timestamps.

…and this one with FS filter driver.

Anton Bassov