Application Name of the IO operation...

Is there any way to find out for which application a particular IRP is sent to driver …

When I am processing IRP_MJ_WRITE I would like to get the name of the application for which the IO operation is happening …

PRIYA MS


Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.

The Irp->Overlay.Thread contains the thread that
originated the request. You may do “IoThreadToProcess”
on it, you’ll get the EPROCESS structure of the process.

Then open the process by ObOpenObjectByPointer
and do NtQueryInformationProcess(ProcessImageFileName)

I’ll never tried this, but I think you should get the 12-characters
image file name stored in the EPROCESS structure.

Note that I am not sure if this works inside the IRP_MJ_WRITE
handler.

L.

Thanks L !!

I will try as per your suggestion…

Ladislav Zezula wrote:
The Irp->Overlay.Thread contains the thread that
originated the request. You may do “IoThreadToProcess”
on it, you’ll get the EPROCESS structure of the process.

Then open the process by ObOpenObjectByPointer
and do NtQueryInformationProcess(ProcessImageFileName)

I’ll never tried this, but I think you should get the 12-characters
image file name stored in the EPROCESS structure.

Note that I am not sure if this works inside the IRP_MJ_WRITE
handler.

L.


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

PRIYA MS

---------------------------------
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.

NTFSD NTDEV wrote:

Is there any way to find out for which application a particular IRP is
sent to driver …

You DO understand that - at best - you’re going to get just the NAME
part of the file from which the image was loaded. Not the path.

This is entirely useless, except perhaps for debugging, given that
anybody can create an executable with any given name in their own
directory (like, using rename)…

Please check the archives. IIRC, this has been discussed to death here
in the past.

Peter
OSR

Thanks peter for your advice !!

Actually my requirement is like , a particular file is to be opened by only a particular application.

I am storing the info regarding “which file is to be opened by which application” in the registry.So for every IO I would like to check on behalf of what application the IO operation is to be done…So I filter the cancel the IRPs if they are originating from some other application…

Is there any other way to achieve this…?

PeterGV wrote:
NTFSD NTDEV wrote:
> Is there any way to find out for which application a particular IRP is
> sent to driver …
>

You DO understand that - at best - you’re going to get just the NAME
part of the file from which the image was loaded. Not the path.

This is entirely useless, except perhaps for debugging, given that
anybody can create an executable with any given name in their own
directory (like, using rename)…

Please check the archives. IIRC, this has been discussed to death here
in the past.

Peter
OSR


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

PRIYA MS

---------------------------------
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.

If possible try having a Shell Extension module in user space which
will listen to the filesystem (APIs using SHChangeNotifyRegister,
SHChangeNotify etc) , capture the open request, process name and send
this info to the device and thereon you can always control the
flow…this may be bit difficult to synchronize the control flow between
user and kernel but might solve your problem… make sure to have
basedname object events that synchronizes the exceution .

Good luck…
K.Raju


From: NTFSD NTDEV [mailto:xxxxx@yahoo.com]
Sent: Friday, December 03, 2004 12:02 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Application Name of the IO operation…

Thanks peter for your advice !!

Actually my requirement is like , a particular file is to be opened by
only a particular application.

I am storing the info regarding “which file is to be opened by which
application” in the registry.So for every IO I would like to check on
behalf of what application the IO operation is to be done…So I filter
the cancel the IRPs if they are originating from some other
application…

Is there any other way to achieve this…?

PeterGV wrote:

NTFSD NTDEV wrote:
> Is there any way to find out for which application a
particular IRP is
> sent to driver …
>

You DO understand that - at best - you’re going to get just the
NAME
part of the file from which the image was loaded. Not the path.

This is entirely useless, except perhaps for debugging, given
that
anybody can create an executable with any given name in their
own
directory (like, using rename)…

Please check the archives. IIRC, this has been discussed to
death here
in the past.

Peter
OSR


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com
To unsubscribe send a blank email to
xxxxx@lists.osr.com

PRIYA MS

_____

Do you Yahoo!?
Yahoo! Mail
http:oo.com/new_mail/static/protection.html> - You care about security. So
do we. — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed
to ntfsd as: xxxxx@inquesttechnologies.com To unsubscribe send a blank
email to xxxxx@lists.osr.com</http:>

IoGetRequestorProcess is one more such function.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: Ladislav Zezula
To: Windows File Systems Devs Interest List
Sent: Wednesday, December 01, 2004 9:47 AM
Subject: Re: [ntfsd] Application Name of the IO operation…

The Irp->Overlay.Thread contains the thread that
originated the request. You may do “IoThreadToProcess”
on it, you’ll get the EPROCESS structure of the process.

Then open the process by ObOpenObjectByPointer
and do NtQueryInformationProcess(ProcessImageFileName)

I’ll never tried this, but I think you should get the 12-characters
image file name stored in the EPROCESS structure.

Note that I am not sure if this works inside the IRP_MJ_WRITE
handler.

L.


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com