Detecting process start/termination from DD

Hi everyone.

How can I detect moments when process get started (I guess, process ID is
created) and terminated (process ID is freed)?
Also I would like to detect thread start/termination.
Any hints will be appreciated

Vladimir

Detecting process start/termination from DDTry PsSetCreateProcessNotifyRoutine and PsSetCreateThreadNotifyRoutine
they are documented in the Win2k DDK, but they were available and work
with NT4, even though undocumented.

Don Burn
NT Device Driver Consultant

----- Original Message -----
From: Chtchetkine, Vladimir
To: File Systems Developers
Sent: Wednesday, August 09, 2000 4:59 PM
Subject: [ntfsd] Detecting process start/termination from DD

Hi everyone.

How can I detect moments when process get started (I guess, process ID is created) and terminated (process ID is freed)?

Also I would like to detect thread start/termination.
Any hints will be appreciated

Vladimir

Thank you very much, Don!

I guess, my next question :slight_smile: would be how can I get a full path to the
started process, given its KM handle or PEPROC?
Basically, what I need is to change behavior of my driver depending on the
process in which context an IRP has been
issued. All “special” process are registered by their paths (or file names).
I also have an application that has duplex connection
with my driver. So, if the solution could be found in a mix of driver-app,
it’s OK.
I also found PsSetLoadImageNotifyRoutine in W2K DDK. Could it be in any
help?

Regards,

Vladimir

-----Original Message-----
From: Don Burn [mailto:xxxxx@acm.org]
Sent: Wednesday, August 09, 2000 4:08 PM
To: File Systems Developers
Subject: [ntfsd] Re: Detecting process start/termination from DD

Try PsSetCreateProcessNotifyRoutine and PsSetCreateThreadNotifyRoutine
they are documented in the Win2k DDK, but they were available and work
with NT4, even though undocumented.

Don Burn
NT Device Driver Consultant

----- Original Message -----

From: Chtchetkine, Vladimir mailto:xxxxx
To: File Systems mailto:xxxxx Developers
Sent: Wednesday, August 09, 2000 4:59 PM
Subject: [ntfsd] Detecting process start/termination from DD

Hi everyone.

How can I detect moments when process get started (I guess, process ID is
created) and terminated (process ID is freed)?

Also I would like to detect thread start/termination.
Any hints will be appreciated

Vladimir</mailto:xxxxx></mailto:xxxxx>

Detecting process start/termination from DDVladimir,

I have not used PsSetLoadImageNotifyRoutine, since it was not
available for NT4, and my work in this area required compatibility with
both system. I used the process ID, then in user space called
OpenProcess, EnumProcessModules, GetModuleFileNameEx to
get the full path. The restriction here is that at the time of the call to
the process creation notify routine, these calls may not have enough
context to return the correct values.

Given the your statement of the problem, I would consider using
a lookup of the process in a table in your driver, if the process id does
not exist in the table, trigger a user mode service to get the full path
for you, then determine if this is a special. Use the
PsSetCreateProcessNotifyRoutine to delete data structures no longer
needed due to process termination.

Don Burn
NT Device Driver Consultant

----- Original Message -----
From: Chtchetkine, Vladimir
To: File Systems Developers
Sent: Wednesday, August 09, 2000 5:47 PM
Subject: [ntfsd] Re: Detecting process start/termination from DD

Thank you very much, Don!

I guess, my next question :slight_smile: would be how can I get a full path to the started process, given its KM handle or PEPROC?
Basically, what I need is to change behavior of my driver depending on the process in which context an IRP has been
issued. All “special” process are registered by their paths (or file names). I also have an application that has duplex connection
with my driver. So, if the solution could be found in a mix of driver-app, it’s OK.
I also found PsSetLoadImageNotifyRoutine in W2K DDK. Could it be in any help?

Regards,

Vladimir
-----Original Message-----
From: Don Burn [mailto:xxxxx@acm.org]
Sent: Wednesday, August 09, 2000 4:08 PM
To: File Systems Developers
Subject: [ntfsd] Re: Detecting process start/termination from DD

Try PsSetCreateProcessNotifyRoutine and PsSetCreateThreadNotifyRoutine
they are documented in the Win2k DDK, but they were available and work
with NT4, even though undocumented.

Don Burn
NT Device Driver Consultant

----- Original Message -----
From: Chtchetkine, Vladimir
To: File Systems Developers
Sent: Wednesday, August 09, 2000 4:59 PM
Subject: [ntfsd] Detecting process start/termination from DD

Hi everyone.

How can I detect moments when process get started (I guess, process ID is created) and terminated (process ID is freed)?

Also I would like to detect thread start/termination.
Any hints will be appreciated

Vladimir

From user mode, you can use the PSAPI DLL. The functions
EnumProcessModules, GetModuleBaseName, and GetModuleFileNameEx should be
useful. You need a user mode handle in the correct context to use these. I
think you should be able to get the PID from kernel mode and pass it to your
user mode component and use OpenProcess to get the handle. The handle must
have PROCESS_QUERY_INFORMATION and PROCESS_VM_READ access.

-----Original Message-----
From: Chtchetkine, Vladimir [mailto:xxxxx@Starbase.com]
Sent: Wednesday, August 09, 2000 17:48
To: File Systems Developers
Subject: [ntfsd] Re: Detecting process start/termination from DD

Thank you very much, Don!

I guess, my next question :slight_smile: would be how can I get a full path to the
started process, given its KM handle or PEPROC?
Basically, what I need is to change behavior of my driver depending on the
process in which context an IRP has been
issued. All “special” process are registered by their paths (or file names).
I also have an application that has duplex connection
with my driver. So, if the solution could be found in a mix of driver-app,
it’s OK.
I also found PsSetLoadImageNotifyRoutine in W2K DDK. Could it be in any
help?

Regards,

Vladimir

-----Original Message-----
From: Don Burn [mailto:xxxxx@acm.org]
Sent: Wednesday, August 09, 2000 4:08 PM
To: File Systems Developers
Subject: [ntfsd] Re: Detecting process start/termination from DD

Try PsSetCreateProcessNotifyRoutine and PsSetCreateThreadNotifyRoutine
they are documented in the Win2k DDK, but they were available and work
with NT4, even though undocumented.

Don Burn
NT Device Driver Consultant

----- Original Message -----

From: Chtchetkine, Vladimir mailto:xxxxx
To: File Systems Developers mailto:xxxxx
Sent: Wednesday, August 09, 2000 4:59 PM
Subject: [ntfsd] Detecting process start/termination from DD

Hi everyone.

How can I detect moments when process get started (I guess, process ID is
created) and terminated (process ID is freed)?

Also I would like to detect thread start/termination.
Any hints will be appreciated

Vladimir</mailto:xxxxx></mailto:xxxxx>