Executable start-up

NTFSD
1

While not strictly a mini-filter question, it does occur in a filtering
context…

Objective: Ignore wholesale chunks of I/O activity when some image (like
Word) is being assembled and loaded into memory. I haven’t actually counted
them but Word seems to open up several hundred things just as fast as it can
before it gets going.

I’ve been playing around with PsSetCreateProcessNotifyRoutine() and
PsSetLoadImageNotifyRoutine()

“CreateProcess” is executed once when some existing process initiates the
operation and then once again when the application is finally shut down.
Flags set accordingly…

“LoadImage” then seems to be called lots of times as various bits and pieces
are added to the application (DLLs, etc.).

What I need is some sort of indicator that the loading/etc. process is
complete and the application is now ready to run. Perhaps something just
before “main()” gets called…

It’s be nice to say “Pid x is being built, ignore it” followed by “It’s
ready to go, stop ignoring it.”

Regards,
Mickey.

2

Well, the problen here is with dynamic load capabilities, the load never has
to be done. What you can say is that the first callack to the
PsSetLoadImageNotifyRoutine specified routine for a process is the
executable file. Sometime shorly after the executable, you will start
executing in the processes address space.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

----- Original Message -----
From: “Mickey Lane”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, June 22, 2005 11:56 AM
Subject: [ntfsd] Executable start-up

While not strictly a mini-filter question, it does occur in a filtering
context…

Objective: Ignore wholesale chunks of I/O activity when some image (like
Word) is being assembled and loaded into memory. I haven’t actually counted
them but Word seems to open up several hundred things just as fast as it can
before it gets going.

I’ve been playing around with PsSetCreateProcessNotifyRoutine() and
PsSetLoadImageNotifyRoutine()

“CreateProcess” is executed once when some existing process initiates the
operation and then once again when the application is finally shut down.
Flags set accordingly…

“LoadImage” then seems to be called lots of times as various bits and pieces
are added to the application (DLLs, etc.).

What I need is some sort of indicator that the loading/etc. process is
complete and the application is now ready to run. Perhaps something just
before “main()” gets called…

It’s be nice to say “Pid x is being built, ignore it” followed by “It’s
ready to go, stop ignoring it.”

Regards,
Mickey.


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

Wrt: running Word from the Start menu w/no doc file load included…

That’s pretty much the way I’ve got it coded but I’m still seeing 120+
IRP_MJ_CREATE operations after that. Granted, some or all of these are from
background threads in the running application but it’d still be nice to know
when the first ‘line’ of the new application was about to be executed.

It’s not the end of the world if this can’t be done but it sure would avoid
some useless processing. (I’m beginning to think that the trick to filtering
is figuring out what NOT to do…)

Thanks,
Mickey.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Wednesday, June 22, 2005 12:03 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Executable start-up

Well, the problen here is with dynamic load capabilities, the load never has

to be done. What you can say is that the first callack to the
PsSetLoadImageNotifyRoutine specified routine for a process is the
executable file. Sometime shorly after the executable, you will start
executing in the processes address space.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

----- Original Message -----
From: “Mickey Lane”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, June 22, 2005 11:56 AM
Subject: [ntfsd] Executable start-up

While not strictly a mini-filter question, it does occur in a filtering
context…

Objective: Ignore wholesale chunks of I/O activity when some image (like
Word) is being assembled and loaded into memory. I haven’t actually counted
them but Word seems to open up several hundred things just as fast as it can
before it gets going.

I’ve been playing around with PsSetCreateProcessNotifyRoutine() and
PsSetLoadImageNotifyRoutine()

“CreateProcess” is executed once when some existing process initiates the
operation and then once again when the application is finally shut down.
Flags set accordingly…

“LoadImage” then seems to be called lots of times as various bits and pieces
are added to the application (DLLs, etc.).

What I need is some sort of indicator that the loading/etc. process is
complete and the application is now ready to run. Perhaps something just
before “main()” gets called…

It’s be nice to say “Pid x is being built, ignore it” followed by “It’s
ready to go, stop ignoring it.”

Regards,
Mickey.


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@earthlink.net To unsubscribe
send a blank email to xxxxx@lists.osr.com

4

> It’s not the end of the world if this can’t be done but it sure would

avoid
some useless processing.

The problem of suchg approach is that at FS filter
level, you never can say “Well, now Word started and
before its initialization is complete, I will just ignore requests”.

You must consider that FS filter is a multithreaded and
multiprocessed environment. Even if you get a method
when Word’s startup is “done” (which is more or less
impossible, as Mr. Don Burn wrote), you will get requests
from all processes even between “word start” and “word
initialization complete”. Analyzing which request to ignore
and which not, is just beyond the might of the FS filter.

L.