Notification of kernel objects creation by any process on system

We have file system driver. We want to get notified for “Kernel object” created by any process.

Is there any way to receive notification in kernel mode?

Mmmm kernel objects can only be created by the kernel. Do you mean an user-mode handle? If yes, you can only track process and thread handles as far as I know.

kernel objects can only be created by the kernel

True, but the kernel may (and in most cases does) create these objects (i.e. processes, threads, synch objects, file objects,etc) in response to the requests from the userland. I think this is what the OP is asking about.

If yes, you can only track process and thread handles as far as I know.

According to Mr.Tippet, there is a DTRACE Windows port that is available on the Github. I am not 100% sure it is going to be of help, but the OP may want to investigate this direction…

Anton Bassov

True, but the kernel may (and in most cases does) create these objects (i.e. processes, threads, synch objects, file objects,etc) in response to the requests from the userland. I think this is what the OP is asking about.

Probably. He would be able to monitor files and registry access too.

According to Mr.Tippet, there is a DTRACE Windows port that is available on the Github. I am not 100% sure it is going to be of help, but the OP may want to investigate this direction…

Saw it and seems abandoned and undocumented. I saw some new routines to assist Windows Defender (fair competition :frowning: ) but, unless it is convenient for Microsoft, I doubt they put some effort to add useful features for us.

Saw it and seems abandoned and undocumented…

IIRC, Jeffrey seemed to be of much higher opinion of it

… unless it is convenient for Microsoft, I doubt they put some effort to add useful features for us.

I dunno, but according to Jeffrey, it is going to be included in the future Windows releases, and will come as an integrated part of the system.

In other words, you may be dismissing it too hastily…

Anton Bassov

Well I’ll expect they do and document access/usage.