Accessing context switch information for current user-mode process from kernel?

Hi, I’m writing a minifilter driver and one of the requirements of the project I’m involved in is that I do a stack trace of the user-mode thread that invoked the callback routine.

Do I have this right? I’ve read that minifilter preprocess operations execute in a specific thread context, namely, the thread that invoked the operation (at least for the basic file operations I’m going to be filtering). So, it only makes sense that I can then freely read that user-mode memory from that callback as it’s guarantied to be the right process’s memory?

I can see what I need to do: get the saved base pointer from the context switch, and ‘walk the stack’ until I get to Win32 routine addresses, recording along the way. However, I can’t seem to find an API that lets me fetch the saved information I’m looking for.

What should I do?

>a stack trace of the user-mode thread that invoked the callback routine.

Impossible without having the symbols at hand.

You will not be able to traverse the frame pointer omission records.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com