Identify the file path from the pid (Network path or not)

Hi.
How can I detect this process is a network file path or locally ?
i know, we can detect in DeviceObject->Characteristics but in my case i just have pid
thank you

How can I detect this process is a network file path or locally ?

I don’t know what that means. Are you asking if the main executable for this process came from a network drive? What do you intend to do with this information?

thank you for reply

@Tim_Roberts said:
I don’t know what that means. Are you asking if the main executable for this process came from a network drive? What do you intend to do with this information?

i set callback for process notify and i can identify that process has network file path or any removable file path
my condition for checking are:

if(…)
_File_Object->DeviceObject->Characteristics & FILE_REMOVABLE_MEDIA ||
_File_Object->DeviceObject->Characteristics & FILE_VIRTUAL_VOLUME ||
_File_Object->DeviceObject->Characteristics & FILE_CHARACTERISTIC_WEBDAV_DEVICE ||
_File_Object->DeviceObject->Characteristics & FILE_CHARACTERISTIC_TS_DEVICE ||
_File_Object->DeviceObject->Characteristics & FILE_REMOTE_DEVICE)

Now i am checking how to identify if the driver is not loaded from the boot and only we have a pid
That i mean, when we do not have access to the _file_object structure

I am not 100% sure if I understood your situation.



As far as I know: A process ID is a handle to a process. A process is never a file. So you need to check which files the process has opened. When you got a list of these file handles then you can loop through the list and check every file handle separately.



Oh, and by the way: You can combine the flags:

if(Characteristics & (
FILE_REMOVABLE_MEDIA || FILE_VIRTUAL_VOLUME || ... || FILE_REMOTE_DEVICE
)){
1 Like

… Now i am checking how to identify if the driver is not loaded from the boot and only we have a pid

What driver? Drivers are not associated with PIDs, and drivers are not loaded from network shares.

1 Like

I misinterpreted what I meant

@Tim_Roberts said:

… Now i am checking how to identify if the driver is not loaded from the boot and only we have a pid

What driver? Drivers are not associated with PIDs, and drivers are not loaded from network shares.

I can get image full path name with ZwQueryInformationProcess, with process id
for example process image path is:
\Device\HardDisk…0\Windows\System32\notepad.exe
but if i run application from network then output is:
\Device\MUP\Sharefolder.local\app.exe
so how can i identify this issue with just a pid

The system does not assign PID in any particular order. You cannot say that because PID is in the range 1-100 it is some kind X and because it is in some other range 1000-5000 it is another kind Y

PID is simply an integer that uniquely identifies a process that is currently running with respect to other processes that are also currently running. PID values can and are re-used to refer to different processes at different times. You cannot get any additional information about a process from a PID directly.

Typically information like this is obtained in UM. To do that, you have to open a HANDLE to the target process. That HANDLE allows access to the target process based on a security check and will always refer to the same process until it is closed - even if the process terminates

1 Like

@MBond2 said:

even if the process terminates
thank you, all this is clear
Can you explain this sentence further?
even process has closed?

Hi!

@sennin said:

I can get image full path name with ZwQueryInformationProcess, with process id
for example process image path is:
\Device\HardDisk…0\Windows\System32\notepad.exe
but if i run application from network then output is:
\Device\MUP\Sharefolder.local\app.exe
so how can i identify this issue with just a pid

To retrieve FILE_OBJECT by process id you may try PsLookupProcessByProcessId and then
PsReferenceProcessFilePointer (last is not documented).

1 Like

A UM process has three basic states in its lifetime

  1. It has been created and the OS is preparing to start to run it
  2. it is running
  3. it has terminated, and the OS is in the process of cleaning it up

In state 3, if there are valid HANDLEs outstanding, the KM resources associated with that process will not be cleaned up until those handles are closed

suppose the sequence

a.exe begins and is assigned PID 123
process B opens a HANDLE to process A
a.exe terminates

a new instance of a.exe begins. It is unlikely, but possible that it will also be assigned PID 123

process B interrogates information about a process a.exe based on PID and gets the wrong information. or interrogates about a process based on the HANDLE that has been opened and gets the right information

The HANDLE will always refer to the same specific ‘object’, but names like PID don’t always

*** There are important points that I am not mentioning

1 Like

@Aleh_Kazakevich said:
To retrieve FILE_OBJECT by process id you may try PsLookupProcessByProcessId and then
PsReferenceProcessFilePointer (last is not documented).

This is what I need
thank you

@MBond2 said:
A UM process has three basic states in its lifetime

  1. It has been created and the OS is preparing to start to run it
  2. it is running
  3. it has terminated, and the OS is in the process of cleaning it up

In state 3, if there are valid HANDLEs outstanding, the KM resources associated with that process will not be cleaned up until those handles are closed

suppose the sequence

a.exe begins and is assigned PID 123
process B opens a HANDLE to process A
a.exe terminates

a new instance of a.exe begins. It is unlikely, but possible that it will also be assigned PID 123

process B interrogates information about a process a.exe based on PID and gets the wrong information. or interrogates about a process based on the HANDLE that has been opened and gets the right information

The HANDLE will always refer to the same specific ‘object’, but names like PID don’t always

*** There are important points that I am not mentioning

Thank you very much for your explanation
I did not pay attention to this point