By watching the file IO, I can see various IO operations (mostly
IRP_MJ_CREATE’s) occurring, and some of them are UI-related, for
instance playing a sound (ding.wav, etc…), reading the wallpaper file,
etc. This shows up as UserMode activity.
How can I tell the difference between this type of IO and user-generated
IO, like if the user was browsing a filesystem with Explorer, or opening
a file.
How can I tell the difference between this type of IO and user-generated IO.
There is no difference, all requests are treated equally by the kernel.
L.
I think the first problem you have here is having a proper definition of
“user generated” versus “windows generated” and sufficient exploration of
that definition problem might leave your question answered 
“Corey, Steve” wrote in message news:xxxxx@ntfsd…
By watching the file IO, I can see various IO operations (mostly
IRP_MJ_CREATE’s) occurring, and some of them are UI-related, for instance
playing a sound (ding.wav, etc…), reading the wallpaper file, etc. This
shows up as UserMode activity.
How can I tell the difference between this type of IO and user-generated IO,
like if the user was browsing a filesystem with Explorer, or opening a file.
>How can I tell the difference between this type of IO and user-generated
IO, like if the user was browsing a filesystem with Explorer, or opening
a file.
You cannot. There is no difference at all. Explorer is just one more user app.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Hi,
Explorer is also an application that is written over the windows like any other application. Its just that it is written by Microsoft and you can get this application along with Windows. But If you want to know the name of the current process or its id. You can look to EPROCESS structure. You can use PsGetCurrentProcess and IoGetCurrentProcess for that.
Windows I/O is something that is conducted by the worker thread may be your system process so dont confuse it with Windows I/O.
Thanks & Regards
Aishwary Bhashkar
Sr. Software Engineer
R Systems International Ltd.
THIS IS REALLY STUPID AND WRONG!!!. The EPROCESS structure is not
something to poke into, you will not get the process name safely by trying
to do this. The only software that played this game was some sysinternals
stuff which was for diagnostics only. Unfortunately, too many firms ripped
off Sysinternals, si they removed the source. I do hope you are paying
them their royalties since it seems likely you are using this.
Also, Windows I/O is not guarnatteed to be by a worker thread, there is
nothing stopping a component from grabbing a user thread (for instance a
request) and using it for I/O for its own purposes. If you had read the
previous responses you would have seen that there is no way to tell. TRY
TO GET YOUR FACTS STRAIGHT BEFORE RECOMMENDING GARBAGE.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
wrote in message news:xxxxx@ntfsd…
> Hi,
>
> Explorer is also an application that is written over the windows like any
> other application. Its just that it is written by Microsoft and you can
> get this application along with Windows. But If you want to know the
> name of the current process or its id. You can look to EPROCESS
> structure. You can use PsGetCurrentProcess and IoGetCurrentProcess for
> that.
>
> Windows I/O is something that is conducted by the worker thread may be
> your system process so dont confuse it with Windows I/O.
>
> Thanks & Regards
>
> Aishwary Bhashkar
> Sr. Software Engineer
> R Systems International Ltd.
>
>
I have leaned this structure from Windows Internals, I hope they have payed the royalty of putting that in Public. And moreover there must be a way thats why FileSpy shows the name of the process.
use ZwQueryInformationProcess() and see the link microsoft has put it in MSDN so I hope we can use it.
http://msdn2.microsoft.com/en-us/library/ms687420.aspx
Thanks & Regards
Aishwary Bhashkar
Sr. Software Engineer
R Systems International Ltd.
xxxxx@rsystems.com wrote:
I have leaned this structure from Windows Internals, I hope they have payed the royalty of putting that in Public. And moreover there must be a way thats why FileSpy shows the name of the process.
use ZwQueryInformationProcess() and see the link microsoft has put it in MSDN so I hope we can use it.
http://msdn2.microsoft.com/en-us/library/ms687420.aspx
Uh… nowhere on that page does it advocate digging into the EPROCESS
structure… in fact it seems unrelated to the solution you gave. Of
course Windows can find out the process name, but they don’t give a
reliable way for us to do it - plus it’s not really useful information
anyway, for reasons that have been discussed many times.
Also it contains several warnings:
the *very first line* says:
“ZwQueryInformationProcess may be altered or unavailable in future
versions of Windows. Applications should use the alternate functions
listed in this topic.”
The remarks say:
“The ZwQueryInformationProcess function and the structures that it
returns are internal to the operating system and subject to change from
one release of Windows to another. To maintain the compatibility of your
application, it is better to use public functions mentioned in the
description of the ProcessInformationClass parameter instead.”
That’s not a function I would want any commercial app I was working on
to be using.
Tony
Oh Thanks I have written this filter a time back and haven’t updated it. I will put the updated one.
Thanks & Regards
Aishwary Bhashkar
Sr. Software Engineer
R Systems International Ltd.