Do threads have PIDs in windows?

NTFSD
1

Hi,

I just want to know if the threads you make inside kernel level drivers, do have PIDs?

Thank you

2

Well they have a process and a thread ID, just like any other thread in
Windows.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

xxxxx@gmail.com” wrote in message
news:xxxxx@ntfsd:

> Hi,
>
> I just want to know if the threads you make inside kernel level drivers, do have PIDs?
>
> Thank you

3

Thanks,

So do those PIDs come from a reserved block of PID, for the threads, or
are they just normal PIDs?

On Tue, Sep 20, 2011 at 10:51 PM, Don Burn wrote:

> Well they have a process and a thread ID, just like any other thread in
> Windows.
>
>
> Don Burn
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/ WinDrvr http:
>
>
>
>
> “xxxxx@gmail.com” wrote in message
> news:xxxxx@ntfsd:
>
>
> Hi,
>>
>> I just want to know if the threads you make inside kernel level drivers,
>> do have PIDs?
>>
>> Thank you
>>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page. cfm?name=ListServerhttp:
></http:></http:>

4

When you create a thread in the kernel you specify the process with a
handle or NULL. For NULL it defaults to the system process, otherwise
the process specified. There is no reserved block, the process ID and
thread ID follow the standard system rules whether this is a thread
created in user space or kernel space.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Chathura Mazz” wrote in message
news:xxxxx@ntfsd:

> Thanks,
>
> So do those PIDs come from a reserved block of PID, for the threads, or
> are they just normal PIDs?
>
>
>
> On Tue, Sep 20, 2011 at 10:51 PM, Don Burn wrote:
>
> > Well they have a process and a thread ID, just like any other thread in
> > Windows.
> >
> >
> > Don Burn
> > Windows Filesystem and Driver Consulting
> > Website: http://www.windrvr.com
> > Blog: http://msmvps.com/blogs/ WinDrvr http:
> >
> >
> >
> >
> > “xxxxx@gmail.com” wrote in message
> > news:xxxxx@ntfsd:
> >
> >
> > Hi,
> >>
> >> I just want to know if the threads you make inside kernel level drivers,
> >> do have PIDs?
> >>
> >> Thank you
> >>
> >
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > For our schedule of debugging and file system seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page. cfm?name=ListServerhttp:
> ></http:></http:>

5

Ok thanks,

So is there a way that I could find out if the thread is made by kernel
mode code or user mode code?

On Wed, Sep 21, 2011 at 11:20 AM, Don Burn wrote:

> When you create a thread in the kernel you specify the process with a
> handle or NULL. For NULL it defaults to the system process, otherwise the
> process specified. There is no reserved block, the process ID and thread ID
> follow the standard system rules whether this is a thread created in user
> space or kernel space.
>
>
>
> Don Burn
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/ WinDrvr http:
>
>
>
> “Chathura Mazz” wrote in message news:xxxxx@ntfsd:
>
> Thanks,
>>
>> So do those PIDs come from a reserved block of PID, for the threads, or
>> are they just normal PIDs?
>>
>>
>>
>> On Tue, Sep 20, 2011 at 10:51 PM, Don Burn wrote:
>>
>> > Well they have a process and a thread ID, just like any other thread in
>> > Windows.
>> >
>> >
>> > Don Burn
>> > Windows Filesystem and Driver Consulting
>> > Website: http://www.windrvr.com
>> > Blog: http://msmvps.com/blogs/** WinDrvrhttp:<
>> http://msmvps.com/blogs/ WinDrvr http:>
>>
>> >
>> >
>> >
>> >
>> > “xxxxx@gmail.com” wrote in message
>> > news:xxxxx@ntfsd:
>> >
>> >
>> > Hi,
>> >>
>> >> I just want to know if the threads you make inside kernel level
>> drivers,
>> >> do have PIDs?
>> >>
>> >> Thank you
>> >>
>> >
>> >
>> > —
>> > NTFSD is sponsored by OSR
>> >
>> > For our schedule of debugging and file system seminars visit:
>> > http://www.osr.com/seminars
>> >
>> > To unsubscribe, visit the List Server section of OSR Online at
>> > http://www.osronline.com/page.** cfm?name=ListServerhttp:
>> http:
>> >
>> >
>>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.**cfm?name=ListServerhttp:
></http:></http:></http:></http:></http:></http:>

6

First why should you care? The only difference between a thread created
in the kernel and user space is the kernel thread will not have a user
space stack, but there is no way to determine that. Most kernel threads
will be part of the system process.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Chathura Mazz” wrote in message
news:xxxxx@ntfsd:

> Ok thanks,
>
> So is there a way that I could find out if the thread is made by kernel
> mode code or user mode code?
>
>
>
> On Wed, Sep 21, 2011 at 11:20 AM, Don Burn wrote:
>
> > When you create a thread in the kernel you specify the process with a
> > handle or NULL. For NULL it defaults to the system process, otherwise the
> > process specified. There is no reserved block, the process ID and thread ID
> > follow the standard system rules whether this is a thread created in user
> > space or kernel space.
> >
> >
> >
> > Don Burn
> > Windows Filesystem and Driver Consulting
> > Website: http://www.windrvr.com
> > Blog: http://msmvps.com/blogs/ WinDrvr http:
> >
> >
> >
> > “Chathura Mazz” wrote in message news:xxxxx@ntfsd:
> >
> > Thanks,
> >>
> >> So do those PIDs come from a reserved block of PID, for the threads, or
> >> are they just normal PIDs?
> >>
> >>
> >>
> >> On Tue, Sep 20, 2011 at 10:51 PM, Don Burn wrote:
> >>
> >> > Well they have a process and a thread ID, just like any other thread in
> >> > Windows.
> >> >
> >> >
> >> > Don Burn
> >> > Windows Filesystem and Driver Consulting
> >> > Website: http://www.windrvr.com
> >> > Blog: http://msmvps.com/blogs/** WinDrvrhttp:<
> >> http://msmvps.com/blogs/ WinDrvr http:>
> >>
> >> >
> >> >
> >> >
> >> >
> >> > “xxxxx@gmail.com” wrote in message
> >> > news:xxxxx@ntfsd:
> >> >
> >> >
> >> > Hi,
> >> >>
> >> >> I just want to know if the threads you make inside kernel level
> >> drivers,
> >> >> do have PIDs?
> >> >>
> >> >> Thank you
> >> >>
> >> >
> >> >
> >> > —
> >> > NTFSD is sponsored by OSR
> >> >
> >> > For our schedule of debugging and file system seminars visit:
> >> > http://www.osr.com/seminars
> >> >
> >> > To unsubscribe, visit the List Server section of OSR Online at
> >> > http://www.osronline.com/page.** cfm?name=ListServerhttp:
> >> http:
> >> >
> >> >
> >>
> >
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > For our schedule of debugging and file system seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.**cfm?name=ListServerhttp:
> ></http:></http:></http:></http:></http:></http:>

7

Thanks,

Because if there was a way to do that, I could find out if the thread
belongs to my kernel mode driver or the usermode application

Is there any other way I could find this out?

On Wed, Sep 21, 2011 at 11:57 AM, Don Burn wrote:

> First why should you care? The only difference between a thread created in
> the kernel and user space is the kernel thread will not have a user space
> stack, but there is no way to determine that. Most kernel threads will be
> part of the system process.
>
>
>
> Don Burn
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/ WinDrvr http:
>
>
>
>
> “Chathura Mazz” wrote in message news:xxxxx@ntfsd:
>
> Ok thanks,
>>
>> So is there a way that I could find out if the thread is made by kernel
>> mode code or user mode code?
>>
>>
>>
>> On Wed, Sep 21, 2011 at 11:20 AM, Don Burn wrote:
>>
>> > When you create a thread in the kernel you specify the process with a
>> > handle or NULL. For NULL it defaults to the system process, otherwise
>> the
>> > process specified. There is no reserved block, the process ID and
>> thread ID
>> > follow the standard system rules whether this is a thread created in
>> user
>> > space or kernel space.
>> >
>> >
>> >
>> > Don Burn
>> > Windows Filesystem and Driver Consulting
>> > Website: http://www.windrvr.com
>> > Blog: http://msmvps.com/blogs/** WinDrvrhttp:<
>> http://msmvps.com/blogs/ WinDrvr http:>
>>
>> >
>> >
>> >
>> > “Chathura Mazz” wrote in message
>> news:xxxxx@ntfsd:
>> >
>> > Thanks,
>> >>
>> >> So do those PIDs come from a reserved block of PID, for the threads,
>> or
>> >> are they just normal PIDs?
>> >>
>> >>
>> >>
>> >> On Tue, Sep 20, 2011 at 10:51 PM, Don Burn wrote:
>> >>
>> >> > Well they have a process and a thread ID, just like any other thread
>> in
>> >> > Windows.
>> >> >
>> >> >
>> >> > Don Burn
>> >> > Windows Filesystem and Driver Consulting
>> >> > Website: http://www.windrvr.com
>> >> > Blog: http://msmvps.com/blogs/**** WinDrvrhttp:
>> http:
>> ><
>> >> http://msmvps.com/blogs/ **WinDrvrhttp:<
>> http://msmvps.com/blogs/ WinDrvr http:>>
>> >>
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > “xxxxx@gmail.com” wrote in message
>> >> > news:xxxxx@ntfsd:
>> >> >
>> >> >
>> >> > Hi,
>> >> >>
>> >> >> I just want to know if the threads you make inside kernel level
>> >> drivers,
>> >> >> do have PIDs?
>> >> >>
>> >> >> Thank you
>> >> >>
>> >> >
>> >> >
>> >> > —
>> >> > NTFSD is sponsored by OSR
>> >> >
>> >> > For our schedule of debugging and file system seminars visit:
>> >> > http://www.osr.com/seminars
>> >> >
>> >> > To unsubscribe, visit the List Server section of OSR Online at
>> >> > http://www.osronline.com/page. **cfm?name=ListServerhttp:
>> http:
>> >
>> >> http:
>>
>> >
>> >> >
>> >> >
>> >>
>> >
>> >
>> > —
>> > NTFSD is sponsored by OSR
>> >
>> > For our schedule of debugging and file system seminars visit:
>> > http://www.osr.com/seminars
>> >
>> > To unsubscribe, visit the List Server section of OSR Online at
>> > http://www.osronline.com/page. cfm?name=ListServerhttp:
>> http:
>> >
>> >
>>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.**cfm?name=ListServerhttp:
></http:></http:></http:></http:></http:></http:></http:></http:></http:></http:></http:></http:></http:>

8

On 9/21/2011 5:46 AM, Chathura Mazz wrote:

Thanks,

Because if there was a way to do that, I could find out if the thread
belongs to my kernel mode driver or the usermode application
Is there any other way I could find this out?

When you create your kernel threads in your driver stash away the thread
ID of that thread, or threads. When you are trying to determine if a
given context is your thread, compare the current thread id with those
in your list.

Of course this can all break down if a filter above you queues request
to their own worker pool.

Pete

On Wed, Sep 21, 2011 at 11:57 AM, Don Burn > mailto:xxxxx> wrote:
>
> First why should you care? The only difference between a thread
> created in the kernel and user space is the kernel thread will not
> have a user space stack, but there is no way to determine that.
> Most kernel threads will be part of the system process.
>
>
>
> Don Burn
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/ WinDrvr
> http:
>
>
>
>
> “Chathura Mazz” > mailto:xxxxx> wrote in message news:xxxxx@ntfsd:
>
> Ok thanks,
>
> So is there a way that I could find out if the thread is made
> by kernel
> mode code or user mode code?
>
>
>
> On Wed, Sep 21, 2011 at 11:20 AM, Don Burn > mailto:xxxxx> wrote:
>
> > When you create a thread in the kernel you specify the
> process with a
> > handle or NULL. For NULL it defaults to the system process,
> otherwise the
> > process specified. There is no reserved block, the process
> ID and thread ID
> > follow the standard system rules whether this is a thread
> created in user
> > space or kernel space.
> >
> >
> >
> > Don Burn
> > Windows Filesystem and Driver Consulting
> > Website: http://www.windrvr.com
> > Blog: http://msmvps.com/blogs/ ** WinDrvr
> http:
> http:> http:>
>
> >
> >
> >
> > “Chathura Mazz” > mailto:xxxxx> wrote in message news:xxxxx@ntfsd:
> >
> > Thanks,
> >>
> >> So do those PIDs come from a reserved block of PID, for the
> threads, or
> >> are they just normal PIDs?
> >>
> >>
> >>
> >> On Tue, Sep 20, 2011 at 10:51 PM, Don Burn > mailto:xxxxx> wrote:
> >>
> >> > Well they have a process and a thread ID, just like any
> other thread in
> >> > Windows.
> >> >
> >> >
> >> > Don Burn
> >> > Windows Filesystem and Driver Consulting
> >> > Website: http://www.windrvr.com
> >> > Blog: http://msmvps.com/blogs/**** WinDrvr
> http:http:> http:><
> >> http://msmvps.com/blogs/ ** WinDrvr
> http:
> http:> http:>>
> >>
> >> >
> >> >
> >> >
> >> >
> >> > “xxxxx@gmail.com mailto:xxxxx
> > wrote in
> message
> >> > news:xxxxx@ntfsd:
> >> >
> >> >
> >> > Hi,
> >> >>
> >> >> I just want to know if the threads you make inside
> kernel level
> >> drivers,
> >> >> do have PIDs?
> >> >>
> >> >> Thank you
> >> >>
> >> >
> >> >
> >> > —
> >> > NTFSD is sponsored by OSR
> >> >
> >> > For our schedule of debugging and file system seminars visit:
> >> > http://www.osr.com/seminars
> >> >
> >> > To unsubscribe, visit the List Server section of OSR Online at
> >> > http://www.osronline.com/page. **** cfm?name=ListServer
> http:http:> http:>
> >> http:> http:<htt p:>> http:>
> >> >
> >> >
> >>
> >
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > For our schedule of debugging and file system seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page. __**cfm?name=ListServer
> http:http:> http:>
> >
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.__ cfm?name=ListServer
> http:
>
>
> — NTFSD is sponsored by OSR For our schedule of debugging and file
> system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295</http:></http:></http:></http:></http:></htt__p:></http:></http:></http:></http:></http:></mailto:xxxxx></http:></http:></http:></http:></http:></http:></mailto:xxxxx></mailto:xxxxx></http:></http:></http:></mailto:xxxxx></mailto:xxxxx></http:></mailto:xxxxx>

9

“Because if there was a way to do that, I could find out if the thread
belongs to my kernel mode driver or the usermode application”

Why is this important ? What do you intend to do with this information ? Is
this for security (deny access to other threads) ? Is this for logging
(exclude operations issued by your driver from logging) ? Is this for other
reasons (virtualize operations issued by a specific thread) ? Please
describe your scenario…

Thanks,

Alex.

10

Thanks,

yes this is for security reasons.

I want to find out if the PID belongs to Kernel mode code (by analysing
the PID or by any other way) so if it is then I grant write access to the
file, otherwise I want to deny access (Deny user mode processes).

But is this possible, if it is how is it possible?

On Wed, Sep 21, 2011 at 5:06 PM, Alex Carp wrote:

> ?Because if there was a way to do that, I could find out if the thread
> belongs to my kernel mode driver or the usermode application?
>
> **
>
> Why is this important ? What do you intend to do with this information ? Is
> this for security (deny access to other threads) ? Is this for logging
> (exclude operations issued by your driver from logging) ? Is this for other
> reasons (virtualize operations issued by a specific thread) ? Please
> describe your scenario…**
>
> ****
>
> Thanks,
>
> Alex.
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

11

Wouldn?t that be better done on a per open basis rather than a per thread one?

Apart from working around interop issues, I cannot see why you would want to distinguish between a create from kernel code which has borrowed a stack/thread or a create from kernel code which has spun up its own…

“Chathura Mazz” wrote in message news:xxxxx@ntfsd…
Thanks,

yes this is for security reasons.

I want to find out if the PID belongs to Kernel mode code (by analysing the PID or by any other way) so if it is then I grant write access to the file, otherwise I want to deny access (Deny user mode processes).

But is this possible, if it is how is it possible?

On Wed, Sep 21, 2011 at 5:06 PM, Alex Carp wrote:

?Because if there was a way to do that, I could find out if the thread belongs to my kernel mode driver or the usermode application?

Why is this important ? What do you intend to do with this information ? Is this for security (deny access to other threads) ? Is this for logging (exclude operations issued by your driver from logging) ? Is this for other reasons (virtualize operations issued by a specific thread) ? Please describe your scenario…

Thanks,

Alex.



NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

12

thanks Rod,

Could you please explain how can it be done?

On Thu, Sep 22, 2011 at 1:51 PM, Rod Widdowson wrote:

> Wouldn?t that be better done on a per open basis rather than a per
> thread one?
>
> Apart from working around interop issues, I cannot see why you would want
> to distinguish between a create from kernel code which has borrowed a
> stack/thread or a create from kernel code which has spun up its own…
>
> “Chathura Mazz” wrote in message
> news:xxxxx@ntfsd…
> Thanks,
>
> yes this is for security reasons.
>
> I want to find out if the PID belongs to Kernel mode code (by analysing
> the PID or by any other way) so if it is then I grant write access to the
> file, otherwise I want to deny access (Deny user mode processes).
>
> But is this possible, if it is how is it possible?
>
>
> On Wed, Sep 21, 2011 at 5:06 PM, Alex Carp wrote:
>
>> ?Because if there was a way to do that, I could find out if the thread
>> belongs to my kernel mode driver or the usermode application?
>>
>>
>>
>> Why is this important ? What do you intend to do with this information ?
>> Is this for security (deny access to other threads) ? Is this for logging
>> (exclude operations issued by your driver from logging) ? Is this for other
>> reasons (virtualize operations issued by a specific thread) ? Please
>> describe your scenario…
>>
>>
>>
>> Thanks,
>>
>> Alex.
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

13

Its in the IRP.

Something like

if (KernelMode == Data->RequestorMode) {
// Do stuff
} else {
// Do other stuff
}

“Chathura Mazz” wrote in message news:xxxxx@ntfsd…
thanks Rod,

Could you please explain how can it be done?

On Thu, Sep 22, 2011 at 1:51 PM, Rod Widdowson wrote:

Wouldn?t that be better done on a per open basis rather than a per thread one?

Apart from working around interop issues, I cannot see why you would want to distinguish between a create from kernel code which has borrowed a stack/thread or a create from kernel code which has spun up its own…

“Chathura Mazz” wrote in message news:xxxxx@ntfsd…
Thanks,

yes this is for security reasons.

I want to find out if the PID belongs to Kernel mode code (by analysing the PID or by any other way) so if it is then I grant write access to the file, otherwise I want to deny access (Deny user mode processes).

But is this possible, if it is how is it possible?

On Wed, Sep 21, 2011 at 5:06 PM, Alex Carp wrote:

?Because if there was a way to do that, I could find out if the thread belongs to my kernel mode driver or the usermode application?

Why is this important ? What do you intend to do with this information ? Is this for security (deny access to other threads) ? Is this for logging (exclude operations issued by your driver from logging) ? Is this for other reasons (virtualize operations issued by a specific thread) ? Please describe your scenario…

Thanks,

Alex.



NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

14

awesome thanks,

Let me clarify this.

So you can do this in precreate and find out if the requests are being
called by KernelMode or User Mode?

On Thu, Sep 22, 2011 at 3:42 PM, Rod Widdowson wrote:

> Its in the IRP.
>
> Something like
>
> if (KernelMode == Data->RequestorMode) {
> // Do stuff
> } else {
> // Do other stuff
> }
>
>
> “Chathura Mazz” wrote in message
> news:xxxxx@ntfsd…
> thanks Rod,
>
> Could you please explain how can it be done?
>
> On Thu, Sep 22, 2011 at 1:51 PM, Rod Widdowson wrote:
>
>> Wouldn?t that be better done on a per open basis rather than a per
>> thread one?
>>
>> Apart from working around interop issues, I cannot see why you would want
>> to distinguish between a create from kernel code which has borrowed a
>> stack/thread or a create from kernel code which has spun up its own…
>>
>> “Chathura Mazz” wrote in message
>> news:xxxxx@ntfsd…
>> Thanks,
>>
>> yes this is for security reasons.
>>
>> I want to find out if the PID belongs to Kernel mode code (by analysing
>> the PID or by any other way) so if it is then I grant write access to the
>> file, otherwise I want to deny access (Deny user mode processes).
>>
>> But is this possible, if it is how is it possible?
>>
>>
>> On Wed, Sep 21, 2011 at 5:06 PM, Alex Carp >> > wrote:
>>
>>> ?Because if there was a way to do that, I could find out if the thread
>>> belongs to my kernel mode driver or the usermode application?
>>>
>>>
>>>
>>> Why is this important ? What do you intend to do with this information ?
>>> Is this for security (deny access to other threads) ? Is this for logging
>>> (exclude operations issued by your driver from logging) ? Is this for other
>>> reasons (virtualize operations issued by a specific thread) ? Please
>>> describe your scenario…
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Alex.
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>> For our schedule of debugging and file system seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

15

> So you can do this in precreate and find out if the requests are being called by KernelMode or User Mode?

Yes.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com