Enumerate process in Kernel mode ?

I’m quite bored to read again and again questions like that.
This task is actually quite common – and OP said, he wants to list all
running processes in the system. So he should combine
PsSetCreateProcessNotifyRoutine and
ZwQuerySystemInformation/SystemProcessInformation(5), or use user-mode
helper component. However, it must be always synced with PsSet- callback.

EPROCESS struct should be used only for dbg purpose (ideal for KdPrint),
because it contains only a short name, struct offsets/size can vary between
OSes, e.g.
winxp: +0x16c ImageFileName : [15] UChar
win7 : +0x174 ImageFileName : [16] UChar
see (15 vs. 16) size, also there’s no direct reference to UNICODE_STRING
from EPROCESS (as Julian noticed).

Petr

OP also asks:

Julian,
“…Travesing the internal process…”

• How to get the full path of “explorer.exe” from notify routine based
  on only ParentID and ProcessID ?

Also he says:

By the way, I am write to this post upon implementation on Windows 2000
for personal study and understanding.

And Win7 EPROCESS has SE_AUDIT_PROCESS_CREATION_INFO field where you can
find the full process path.

Regards,

Julian

2013/7/22 Petr Kurtin

> I’m quite bored to read again and again questions like that.
> This task is actually quite common – and OP said, he wants to list all
> running processes in the system. So he should combine
> PsSetCreateProcessNotifyRoutine and
> ZwQuerySystemInformation/SystemProcessInformation(5), or use user-mode
> helper component. However, it must be always synced with PsSet- callback.
>
> EPROCESS struct should be used only for dbg purpose (ideal for KdPrint),
> because it contains only a short name, struct offsets/size can vary between
> OSes, e.g.
> winxp: +0x16c ImageFileName : [15] UChar
> win7 : +0x174 ImageFileName : [16] UChar
> see (15 vs. 16) size, also there’s no direct reference to UNICODE_STRING
> from EPROCESS (as Julian noticed).
>
> Petr
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

And how are you going to know the offset of these items in EPROCESS?
EPROCESS changes fairly often including at least once changing the process
path from a pointer to WCHAR to a UNICODE_STRING structure. As people
pointed out, you have no synchronization with EPROCESS structures, and no
definition you can trust since it has changed dramatically with a hotfix in
the past. When I com in an code review for clients, if I see attempts to
much in EPROCESS I state that the driver is not shippable, and that the
developer should be spoken to sharply (at least).

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Juli?n de Navascu?s
Sent: Monday, July 22, 2013 7:21 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Enumerate process in Kernel mode ?

OP also asks:

Julian,
“…Travesing the internal process…”

• How to get the full path of “explorer.exe” from notify routine based
  on only ParentID and ProcessID ?

Also he says:

By the way, I am write to this post upon implementation on Windows 2000
for personal study and understanding.

And Win7 EPROCESS has SE_AUDIT_PROCESS_CREATION_INFO field where you can
find the full process path.

Regards,

Julian

2013/7/22 Petr Kurtin

I’m quite bored to read again and again questions like that.
This task is actually quite common – and OP said, he wants to list
all
running processes in the system. So he should combine
PsSetCreateProcessNotifyRoutine and
ZwQuerySystemInformation/SystemProcessInformation(5), or use
user-mode
helper component. However, it must be always synced with PsSet-
callback.

EPROCESS struct should be used only for dbg purpose (ideal for
KdPrint),
because it contains only a short name, struct offsets/size can vary
between
OSes, e.g.
winxp: +0x16c ImageFileName : [15] UChar
win7 : +0x174 ImageFileName : [16] UChar
see (15 vs. 16) size, also there’s no direct reference to
UNICODE_STRING
from EPROCESS (as Julian noticed).

Petr

—
NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTFSD is sponsored by OSR OSR is hiring!! Info at
http://www.osr.com/careers For our schedule of debugging and file system
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Don,

In my first message I advise the OP against using undocumented stuff (so
opaque structs too). Then the OP says is just for personal study and the OS
is W2K *only*. I don’t expect too much changes in EPROCESS (W2K). As I
said in other message is just a hack, accessing EPROCESS is not a good idea
even from the notification routine but he is not working in a shippable
code and states he needs full path.

I really appreciate the valuable help that you (Don, Joe, Maxim, all…)
give to the lists but on this occasion I think you are being too strict.
If the OP is learning I think he have noticed all the warnings.

Regards,

Julian

2013/7/22 Don Burn

> And how are you going to know the offset of these items in EPROCESS?
> EPROCESS changes fairly often including at least once changing the process
> path from a pointer to WCHAR to a UNICODE_STRING structure. As people
> pointed out, you have no synchronization with EPROCESS structures, and no
> definition you can trust since it has changed dramatically with a hotfix in
> the past. When I com in an code review for clients, if I see attempts to
> much in EPROCESS I state that the driver is not shippable, and that the
> developer should be spoken to sharply (at least).
>
>
> Don Burn
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Juli?n de
> Navascu?s
> Sent: Monday, July 22, 2013 7:21 AM
> To: Windows File Systems Devs Interest List
> Subject: Re: [ntfsd] Enumerate process in Kernel mode ?
>
> OP also asks:
>
> > Julian,
> > “…Travesing the internal process…”
> > - How to get the full path of “explorer.exe” from notify routine based
> > on only ParentID and ProcessID ?
>
> Also he says:
>
> >By the way, I am write to this post upon implementation on Windows 2000
> >for personal study and understanding.
>
> And Win7 EPROCESS has SE_AUDIT_PROCESS_CREATION_INFO field where you can
> find the full process path.
>
> Regards,
>
> Julian
>
>
> 2013/7/22 Petr Kurtin
>
>
> I’m quite bored to read again and again questions like that.
> This task is actually quite common – and OP said, he wants to list
> all
> running processes in the system. So he should combine
> PsSetCreateProcessNotifyRoutine and
> ZwQuerySystemInformation/SystemProcessInformation(5), or use
> user-mode
> helper component. However, it must be always synced with PsSet-
> callback.
>
> EPROCESS struct should be used only for dbg purpose (ideal for
> KdPrint),
> because it contains only a short name, struct offsets/size can vary
> between
> OSes, e.g.
> winxp: +0x16c ImageFileName : [15] UChar
> win7 : +0x174 ImageFileName : [16] UChar
> see (15 vs. 16) size, also there’s no direct reference to
> UNICODE_STRING
> from EPROCESS (as Julian noticed).
>
> Petr
>
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> — NTFSD is sponsored by OSR OSR is hiring!! Info at
> http://www.osr.com/careers For our schedule of debugging and file system
> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
> Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Sorry, but attitudes like what you just expressed are what produces total
CRAP!!! The number of “only for myself projects” whose code gets put into
products is amazing. I know of one company that took a developer’s code
that had huge warnings that “this is only for test purposes, ‘Illegal use of
structures, will crash’ and shipped it” When of course the predicted
crashes occurred, the original developer who had long left the company was
blamed (this one included a lawsuit against the firm that released the
garbage).

The OP is a beginner, that is the worst time to be mucking with undocumented
and dangerous code, since a beginner cannot evaluate the risks.
Personally, recommending approaches like this is unprofessional and I have
suggested to firms they fire senior people who gave such advice to the
juniors.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Juli?n de Navascu?s
Sent: Monday, July 22, 2013 9:46 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Enumerate process in Kernel mode ?

Don,

In my first message I advise the OP against using undocumented stuff (so
opaque structs too). Then the OP says is just for personal study and the OS
is W2K *only*. I don’t expect too much changes in EPROCESS (W2K). As I said
in other message is just a hack, accessing EPROCESS is not a good idea even
from the notification routine but he is not working in a shippable code and
states he needs full path.

I really appreciate the valuable help that you (Don, Joe, Maxim, all…)
give to the lists but on this occasion I think you are being too strict. If
the OP is learning I think he have noticed all the warnings.

Regards,

Julian

2013/7/22 Don Burn

And how are you going to know the offset of these items in EPROCESS?
EPROCESS changes fairly often including at least once changing the
process
path from a pointer to WCHAR to a UNICODE_STRING structure. As
people
pointed out, you have no synchronization with EPROCESS structures,
and no
definition you can trust since it has changed dramatically with a
hotfix in
the past. When I com in an code review for clients, if I see
attempts to
much in EPROCESS I state that the driver is not shippable, and that
the
developer should be spoken to sharply (at least).

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Juli?n de
Navascu?s
Sent: Monday, July 22, 2013 7:21 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Enumerate process in Kernel mode ?

OP also asks:

> Julian,
> “…Travesing the internal process…”
> - How to get the full path of “explorer.exe” from notify routine
based
> on only ParentID and ProcessID ?

Also he says:

>By the way, I am write to this post upon implementation on Windows
2000
>for personal study and understanding.

And Win7 EPROCESS has SE_AUDIT_PROCESS_CREATION_INFO field where you
can
find the full process path.

Regards,

Julian

2013/7/22 Petr Kurtin

I’m quite bored to read again and again questions like that.
This task is actually quite common – and OP said, he wants
to list
all
running processes in the system. So he should combine
PsSetCreateProcessNotifyRoutine and
ZwQuerySystemInformation/SystemProcessInformation(5), or use
user-mode
helper component. However, it must be always synced with
PsSet-
callback.

EPROCESS struct should be used only for dbg purpose (ideal
for
KdPrint),
because it contains only a short name, struct offsets/size
can vary
between
OSes, e.g.
winxp: +0x16c ImageFileName : [15] UChar
win7 : +0x174 ImageFileName : [16] UChar
see (15 vs. 16) size, also there’s no direct reference to
UNICODE_STRING
from EPROCESS (as Julian noticed).

Petr

—
NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars
visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online
at
http://www.osronline.com/page.cfm?name=ListServer

— NTFSD is sponsored by OSR OSR is hiring!! Info at
http://www.osr.com/careers For our schedule of debugging and file
system
seminars visit: http://www.osr.com/seminars To unsubscribe, visit
the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTFSD is sponsored by OSR OSR is hiring!! Info at
http://www.osr.com/careers For our schedule of debugging and file system
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

This strictness comes from years of bad experiences. You see someone
doing something like using EPROCESS in a product, and ask why, and they
say they know it works because they once did this as an experiment. These
experiments can be dangerous, because they allow the programmer to develop
what he or she believes is a working pattern, but it isn’t at all a
working pattern, it is a hack that succeeded mostly by lucky accident. So
we come down hard. It’s one thing to be “learning” and another to use
that knowledge in ways that lead to disaster. We’ve seen this happen
again and again over the years, I saw it in other operating systems, in
apps, all kinds of places where it doesn’t work. There is, for example, a
body of people who believe it is valid to access a window owned by one
thread from a completely different thread. They even say this is “safe”
because the kernel implements locks to prevent concurrent access. What
they do not realize is that lurking behind this is the undisciplined use
of locks that can lead to deadlock, and usually DOES lead to deadlock, and
they are left wondering why the product doesn’t work. You can’t rely on
bad patterns to build good products.
joe

Don,

In my first message I advise the OP against using undocumented stuff (so
opaque structs too). Then the OP says is just for personal study and the
OS
is W2K *only*. I don’t expect too much changes in EPROCESS (W2K). As I
said in other message is just a hack, accessing EPROCESS is not a good
idea
even from the notification routine but he is not working in a shippable
code and states he needs full path.

I really appreciate the valuable help that you (Don, Joe, Maxim, all…)
give to the lists but on this occasion I think you are being too strict.
If the OP is learning I think he have noticed all the warnings.

Regards,

Julian

2013/7/22 Don Burn
>
>> And how are you going to know the offset of these items in EPROCESS?
>> EPROCESS changes fairly often including at least once changing the
>> process
>> path from a pointer to WCHAR to a UNICODE_STRING structure. As people
>> pointed out, you have no synchronization with EPROCESS structures, and
>> no
>> definition you can trust since it has changed dramatically with a hotfix
>> in
>> the past. When I com in an code review for clients, if I see attempts
>> to
>> much in EPROCESS I state that the driver is not shippable, and that the
>> developer should be spoken to sharply (at least).
>>
>>
>> Don Burn
>> Windows Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>>
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Julián de
>> Navascués
>> Sent: Monday, July 22, 2013 7:21 AM
>> To: Windows File Systems Devs Interest List
>> Subject: Re: [ntfsd] Enumerate process in Kernel mode ?
>>
>> OP also asks:
>>
>> > Julian,
>> > “…Travesing the internal process…”
>> > - How to get the full path of “explorer.exe” from notify routine based
>> > on only ParentID and ProcessID ?
>>
>> Also he says:
>>
>> >By the way, I am write to this post upon implementation on Windows 2000
>> >for personal study and understanding.
>>
>> And Win7 EPROCESS has SE_AUDIT_PROCESS_CREATION_INFO field where you can
>> find the full process path.
>>
>> Regards,
>>
>> Julian
>>
>>
>> 2013/7/22 Petr Kurtin
>>
>>
>> I’m quite bored to read again and again questions like that.
>> This task is actually quite common – and OP said, he wants to
>> list
>> all
>> running processes in the system. So he should combine
>> PsSetCreateProcessNotifyRoutine and
>> ZwQuerySystemInformation/SystemProcessInformation(5), or use
>> user-mode
>> helper component. However, it must be always synced with PsSet-
>> callback.
>>
>> EPROCESS struct should be used only for dbg purpose (ideal for
>> KdPrint),
>> because it contains only a short name, struct offsets/size can
>> vary
>> between
>> OSes, e.g.
>> winxp: +0x16c ImageFileName : [15] UChar
>> win7 : +0x174 ImageFileName : [16] UChar
>> see (15 vs. 16) size, also there’s no direct reference to
>> UNICODE_STRING
>> from EPROCESS (as Julian noticed).
>>
>> Petr
>>
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
>> — NTFSD is sponsored by OSR OSR is hiring!! Info at
>> http://www.osr.com/careers For our schedule of debugging and file system
>> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
>> List
>> Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

…very much appreciated for the help, hints and advise given by moderators here.

I really valued and evaluate all the feedbacks via a long digestion :o)

Julian,
“…Win7 EPROCESS has SE_AUDIT_PROCESS_CREATION_INFO…”

• and this mean EPROCESS in W2K has no way to find full path.

Petr,
“…PsSetCreateProcessNotifyRoutine and ZwQuerySystemInformation…”
“…it contains only a short name…”

• I need to test whether ZwQuerySystemInformation() works in W2K or not.

Joseph,
“…you have no way to synchornize access to the EPROCESS…”
“…This strictness comes from years of bad experiences…”

• I respect your advise and knowledge sharing, although my post always feel like “bitten”
  and I am OK with that as all your feedbacks is from true heart :o)

Don,
“…no definition you can trust since it has changed dramatically…”

• Yes, I think to let go EPROCESS method.

If there is other new suggestion, do let me know here.

+1!!!

Sorry, but attitudes like what you just expressed are what produces total
CRAP!!! The number of “only for myself projects” whose code gets put
into
products is amazing. I know of one company that took a developer’s code
that had huge warnings that “this is only for test purposes, ‘Illegal use
of
structures, will crash’ and shipped it” When of course the predicted
crashes occurred, the original developer who had long left the company was
blamed (this one included a lawsuit against the firm that released the
garbage).

The OP is a beginner, that is the worst time to be mucking with
undocumented
and dangerous code, since a beginner cannot evaluate the risks.
Personally, recommending approaches like this is unprofessional and I have
suggested to firms they fire senior people who gave such advice to the
juniors.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Julián de
Navascués
Sent: Monday, July 22, 2013 9:46 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Enumerate process in Kernel mode ?

Don,

In my first message I advise the OP against using undocumented stuff (so
opaque structs too). Then the OP says is just for personal study and the
OS
is W2K *only*. I don’t expect too much changes in EPROCESS (W2K). As I
said
in other message is just a hack, accessing EPROCESS is not a good idea
even
from the notification routine but he is not working in a shippable code
and
states he needs full path.

I really appreciate the valuable help that you (Don, Joe, Maxim, all…)
give to the lists but on this occasion I think you are being too strict.
If
the OP is learning I think he have noticed all the warnings.

Regards,

Julian

2013/7/22 Don Burn
>
>
> And how are you going to know the offset of these items in EPROCESS?
> EPROCESS changes fairly often including at least once changing the
> process
> path from a pointer to WCHAR to a UNICODE_STRING structure. As
> people
> pointed out, you have no synchronization with EPROCESS structures,
> and no
> definition you can trust since it has changed dramatically with a
> hotfix in
> the past. When I com in an code review for clients, if I see
> attempts to
> much in EPROCESS I state that the driver is not shippable, and that
> the
> developer should be spoken to sharply (at least).
>
>
> Don Burn
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Julián de
> Navascués
> Sent: Monday, July 22, 2013 7:21 AM
> To: Windows File Systems Devs Interest List
> Subject: Re: [ntfsd] Enumerate process in Kernel mode ?
>
> OP also asks:
>
> > Julian,
> > “…Travesing the internal process…”
> > - How to get the full path of “explorer.exe” from notify routine
> based
> > on only ParentID and ProcessID ?
>
> Also he says:
>
> >By the way, I am write to this post upon implementation on Windows
> 2000
> >for personal study and understanding.
>
> And Win7 EPROCESS has SE_AUDIT_PROCESS_CREATION_INFO field where you
> can
> find the full process path.
>
> Regards,
>
> Julian
>
>
> 2013/7/22 Petr Kurtin
>
>
> I’m quite bored to read again and again questions like that.
> This task is actually quite common – and OP said, he wants
> to list
> all
> running processes in the system. So he should combine
> PsSetCreateProcessNotifyRoutine and
> ZwQuerySystemInformation/SystemProcessInformation(5), or use
> user-mode
> helper component. However, it must be always synced with
> PsSet-
> callback.
>
> EPROCESS struct should be used only for dbg purpose (ideal
> for
> KdPrint),
> because it contains only a short name, struct offsets/size
> can vary
> between
> OSes, e.g.
> winxp: +0x16c ImageFileName : [15] UChar
> win7 : +0x174 ImageFileName : [16] UChar
> see (15 vs. 16) size, also there’s no direct reference to
> UNICODE_STRING
> from EPROCESS (as Julian noticed).
>
> Petr
>
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars
> visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online
> at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> — NTFSD is sponsored by OSR OSR is hiring!! Info at
> http://www.osr.com/careers For our schedule of debugging and file
> system
> seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List
> Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> — NTFSD is sponsored by OSR OSR is hiring!! Info at
> http://www.osr.com/careers For our schedule of debugging and file system
> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
> Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>