How to determine in kernel mode, what process (f.e.: svchost.exe) is a service (by ID or PEPROCESS or other parameters) . Is there a possibility?
Try PsGetCurrentProcess() and PsGetCurrentProcessId()
On Wed, Sep 23, 2009 at 8:44 AM, wrote:
> How to determine in kernel mode, what process (f.e.: svchost.exe) is a
> service (by ID or PEPROCESS or other parameters) . Is there a possibility?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> Try PsGetCurrentProcess() and PsGetCurrentProcessId()
And? I can get PID and pointer to _EPROCESS 
? How bind svchost.exe to “Windows Event Log”?
what is your meaning by “How bind svchost.exe to “Windows Event Log””? You
want to get the image name of the current process?
On Wed, Sep 23, 2009 at 10:02 AM, wrote:
> > Try PsGetCurrentProcess() and PsGetCurrentProcessId()
> And? I can get PID and pointer to _EPROCESS ? How bind svchost.exe to
> “Windows Event Log”?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
I think that, in the kernel, he wants to figure out which services are
being run from one of the service container processes (e.g.
svchost.exe) which I suppose is possible based on image load
information but begs the question of why this would be useful or
required for a kernel mode module.
Mark Roddy
On Wed, Sep 23, 2009 at 10:07 AM, Michael Zhu
wrote:
> what is your meaning by “How bind svchost.exe to “Windows Event Log””? You
> want to get the image name of the current process?
>
> On Wed, Sep 23, 2009 at 10:02 AM, wrote:
>>
>> > Try PsGetCurrentProcess() and PsGetCurrentProcessId()
>> And? I can get PID and pointer to _EPROCESS ? How bind svchost.exe to
>> “Windows Event Log”?
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
> List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>>what is your meaning by “How bind svchost.exe to “Windows Event Log””? You want to get the image name of the current process?
I think he meant that from pid and eprocess how he can conclude whether this process is registered as a service. Am I correct OP?
If so, the answer is you can not. services are exe/dll registered with SCM, they do not have any special meaning in kernel, they are just process, so no straight way. you can develop some workaround though. Like pass the PID to user mode and enumerate SCM database with advapi32.dll, or any XYZ method which suits your requirement. But as it is part of SCM which itself is a usermode process, you have to do it in user mode.
On a second thought you may want to check the services registry key under HKLM, but it will require you to fetch the process name and than the comparison, and probably more.
Thanks
Aditya
>>which I suppose is possible based on image load information
really? Can you please share some information on it.
Thanks
Aditya
PsSetLoadImageNotifyRoutine
Every service run by a service container process has to be loaded by
that process.
Mark Roddy
On Wed, Sep 23, 2009 at 10:51 AM, wrote:
>>>which I suppose is possible based on image load information
>
> really? Can you please share some information on it.
>
> Thanks
> Aditya
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
Why do you want to do this?
- S
-----Original Message-----
From: xxxxx@gmail.com
Sent: Wednesday, September 23, 2009 7:51
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Determinate services processes
>>which I suppose is possible based on image load information
really? Can you please share some information on it.
Thanks
Aditya
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>>PsSetLoadImageNotifyRoutine Every service run by a service container process has to be loaded by that process.
do you mean PsSetCreateProcessNotifyRoutine, as I did not found any member of image_info which can provide parent process information.
@Ken
I do not want this, OP does. (redirecting).
ProcessId doesn’t work for you? yes you also have to have a
PsSetCreateProcessNotifyRoutine so you can figure out which processids
correlate to which processes of interest.
But this all begs the question of why the OP needs this information in
the kernel.
Mark Roddy
On Wed, Sep 23, 2009 at 2:47 PM, wrote:
>>>PsSetLoadImageNotifyRoutine Every service run by a service container process has to be loaded by that process.
>
> do you mean PsSetCreateProcessNotifyRoutine, as I did not found any member of image_info which can provide parent process information.
>
> @Ken
>
> I do not want this, OP does. (redirecting).
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>I did not found any member of image_info which can provide parent process information.
Well, it found be surprising if you did, taking into account that there is no parent-child relationship between processes under Windows. By the time newly-created process decides to make use of its parent’s PID its parent may be already gone, and its PID may get already reused. Therefore, providing parent PID would not be particularly useful here and may result in some “misunderstanding”…
Anton Bassov
>>By the time newly-created process decides to make use of its parent’s PID its parent may be already gone, and its PID may get already reused. Therefore, providing parent PID would not be particularly useful here and may result in some “misunderstanding”…
I think for this specific case, what Mark has suggested may work. As he is trying to make a difference whether a process is a service or not, so parent will always be SCM. Which is a critical process and even though it can be killed using some methods, in normal cases it can not be.(like using task manager).
But still the better idea would be to move it to user mode.
Thanks
Aditya
> I think for this specific case, what Mark has suggested may work.
Actually, Mark did not suggest PsSetCreateProcessNotifyRoutine(). He suggested PsSetLoadImageNotifyRoutine() which does not seem to be related to solving the OP’s problem, because, IIRC, UM services run as separate processes, rather than images loaded into SCM’s address space (otherwise the number of user services that may run on 32-bit OS would be fairly small because of the address space constraints).
I just explained why PsSetCreateProcessNotifyRoutine() does not provide information about parent processes, although in this particular case it would be, indeed, quite useful…
Anton Bassov
>>Actually, Mark did not suggest PsSetCreateProcessNotifyRoutine(). He suggested PsSetLoadImageNotifyRoutine()
I actually thought that he meant PsSetCreateProcessNotifyRoutine and wrote it wrong.
>UM services run as separate processes, rather than images loaded into SCM’s address space (otherwise the number of user services that may run on 32-bit OS would be fairly small because of the address space constraints).
True, as services implemented as a dll also get there individual process as svchost. (though I guess there exist some mechanism to share them ).
>I just explained why PsSetCreateProcessNotifyRoutine() does not provide information about parent processes, although in this particular case it would be, indeed, quite useful…
Yes, I got it.
Thanks
Aditya
Some services run as separate processes and some don’t. The OP has
mostly vanished as far as I can tell, but the OP seemed to want to
know about services loaded within one of the service container
processes. Those services can be detected through load image
notifcation processId and process notification.
Mark Roddy
On Thu, Sep 24, 2009 at 7:15 AM, wrote:
>>>Actually, Mark did not suggest PsSetCreateProcessNotifyRoutine(). He suggested PsSetLoadImageNotifyRoutine()
>
> I actually thought that he meant PsSetCreateProcessNotifyRoutine and wrote it wrong.
>
>>>UM services run as separate processes, rather than images loaded into SCM’s address space (otherwise the number of user services that may run on 32-bit OS would be fairly small because of the address space constraints).
>
> True, as services implemented as a dll also get there individual process as svchost. (though I guess there exist some mechanism to share them ).
>
>>>I just explained why PsSetCreateProcessNotifyRoutine() does not provide information about parent processes, although in this particular case it would be, indeed, quite useful…
>
> Yes, I got it.
>
> Thanks
> Aditya
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>