Finding the creating process

Shreyas_Srivatsan · June 13, 2006, 1:49am

Is there anyway i can find out which process is opening a file? The point is
that if a certain process is opening a file i do not want to perform any
operations on it. Otherwise i want to.

OSR_Community_User · June 13, 2006, 1:58am

*FltGetRequestorProcessId*

Shreyas Srivatsan wrote:

Is there anyway i can find out which process is opening a file? The
point is that if a certain process is opening a file i do not want to
perform any operations on it. Otherwise i want to.
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe send a
blank email to xxxxx@lists.osr.com

Shreyas_Srivatsan · June 13, 2006, 2:24am

This is fine. but wont the requestor process id change everytime it is run??
So how can i relate the id i get to a certain executable say “test.exe” so
that the files opened by “test.exe” i do not have to do any work on.

OSR_Community_User · June 13, 2006, 2:38am

no, “test.exe” 's PID will remain the same for the life of it’s
execution. If you kill that program, and then restart it, yes, then it
will have a new pid.

Shreyas Srivatsan wrote:

This is fine. but wont the requestor process id change everytime it is
run?? So how can i relate the id i get to a certain executable say
“test.exe” so that the files opened by “test.exe” i do not have to do
any work on.
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe send a
blank email to xxxxx@lists.osr.com

OSR_Community_User · June 13, 2006, 2:44am

misunderstood you, that that pid and pass it to usermode, call
OpenProcess with that pid to get a handle.
Then, call GetModuleFileNameEx with that handle to get process name and
path.

Shreyas Srivatsan wrote:

This is fine. but wont the requestor process id change everytime it is
run?? So how can i relate the id i get to a certain executable say
“test.exe” so that the files opened by “test.exe” i do not have to do
any work on.
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe send a
blank email to xxxxx@lists.osr.com

Shreyas_Srivatsan · June 13, 2006, 2:46am

Exactly. The test.exe will be called many times so its pid keeps changing.
In that case how can I get what i want. Is there anyway to find out the pid
of a process. Like pid of test.exe?? then i can compare with
requestorprocessid and then move forward.

amitr0-2 · June 13, 2006, 2:47am

r u using legary or minifilter approach?

On 6/13/06, Shreyas Srivatsan wrote:
>
> Is there anyway i can find out which process is opening a file? The point
> is that if a certain process is opening a file i do not want to perform any
> operations on it. Otherwise i want to.
> — Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17 You are currently subscribed
> to ntfsd as: xxxxx@gmail.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>

–

- amitr0

amitr0-2 · June 13, 2006, 2:50am

well, if ur pid canges every time, then why not compare by name of
application? It sems tat test.exe is a test app, and so you can afford that
luxury during the testing phase

On 6/13/06, Shreyas Srivatsan wrote:
>
> Exactly. The test.exe will be called many times so its pid keeps changing.
> In that case how can I get what i want. Is there anyway to find out the pid
> of a process. Like pid of test.exe?? then i can compare with
> requestorprocessid and then move forward.
> — Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17 You are currently subscribed
> to ntfsd as: xxxxx@gmail.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>

–

- amitr0

Shreyas_Srivatsan · June 13, 2006, 2:53am

The question boils down to can i get the process id of some arbitrary exe if
it is running??
And comparing with the process is what i will have to do. Thats why wanted
to know how to get the filename.

Shreyas_Srivatsan · June 13, 2006, 2:54am

I am using mini filter approach.

Slava_Imameyev · June 13, 2006, 5:49am

It is not a good idea, because this file may be used to back a segment for a mapped file, and Modified Pages Writer will use it to flash modified pages, if you cancel this operations you may discard changes made by applications for which you want to grant the full access.
“Shreyas Srivatsan” wrote in message news:xxxxx@ntfsd…
Is there anyway i can find out which process is opening a file? The point is that if a certain process is opening a file i do not want to perform any operations on it. Otherwise i want to.

Shreyas_Srivatsan · June 13, 2006, 5:57am

Sorry Slava. I did not get you on that. I know for what purpose my exe is
opening the file. Hence i would want it to bypass the filter operations.
What is wrong in that??

OSR_Community_User · June 13, 2006, 6:03am

What is not a good idea? If a particular file he is interested in is
opening something, and he wants to skip processing on it, what is the
big deal.
This is exactly what the scanner sample does. As far as paging goes, he
could always specify
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO to skip paging operations.

m

Slava Imameyev wrote:

It is not a good idea, because this file may be used to back a segment
for a mapped file, and Modified Pages Writer will use it to flash
modified pages, if you cancel this operations you may discard changes
made by applications for which you want to grant the full access.

“Shreyas Srivatsan” >
> wrote in message news:xxxxx@ntfsd…
> Is there anyway i can find out which process is opening a file?
> The point is that if a certain process is opening a file i do not
> want to perform any operations on it. Otherwise i want to.
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag
> argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Slava_Imameyev · June 13, 2006, 6:03am

I do not understand- you want to cancel opening of the file or you want to allow open it but cancel any operations on it? If you want to cancel the file opening it is OK, if you want to cancel all operations( but allow to open the file or the file had been opened before your driver was load ) it is not good.
“Shreyas Srivatsan” wrote in message news:xxxxx@ntfsd…
Sorry Slava. I did not get you on that. I know for what purpose my exe is opening the file. Hence i would want it to bypass the filter operations. What is wrong in that??

Shreyas_Srivatsan · June 13, 2006, 6:42am

What i am saying is that if the if the file is opened by me exe then i do
not want it pass throught the filter i have written. I simply bypass it.
Return from it. And as Martin said this exactly the same as the scanner
sample does.

Slava_Imameyev · June 13, 2006, 6:53am

Sorry, I think you want to cancel operations.
To find you process you can enumerate all process in system after you driver is load and register to process create notofication using PsSetProcess…
“Shreyas Srivatsan” wrote in message news:xxxxx@ntfsd…
What i am saying is that if the if the file is opened by me exe then i do not want it pass throught the filter i have written. I simply bypass it. Return from it. And as Martin said this exactly the same as the scanner sample does.

OSR_Community_User · June 13, 2006, 7:10am

I wouldn’t send him down that route, although that is indeed valid.
PsSetImageLoadNotifyRoutine works great, it will give a PID and a
file pathname, however, the problem with it is sometimes ( a lot of
times ) the path name it returns is a symbolic link. That makes it
more difficult, second, when it does return a full ‘true’ path name,
it’s the kernel equivalent such as
“\Device\HardDiskVolume1\somedir\test.exe”.

Then, you have to get into string parsing - not that it’s too difficult,
I just hate string functions for some reason. And when that function
does return a sym link, that complicates the string parsing function.
PsSetImageLoadNotifyRoutine is a bigger pain than what it’s worth
in my opinion.

Still think he should use the usermode approach to get the filename/path.

m

Slava Imameyev wrote:

Sorry, I think you want to cancel operations.
To find you process you can enumerate all process in system after you
driver is load and register to process create notofication using
PsSetProcess…

“Shreyas Srivatsan” >
> wrote in message news:xxxxx@ntfsd…
> What i am saying is that if the if the file is opened by me exe
> then i do not want it pass throught the filter i have written. I
> simply bypass it. Return from it. And as Martin said this exactly
> the same as the scanner sample does.
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag
> argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com

David_J_Craig · June 13, 2006, 10:19am

Here we go again. This question and others have been asked and answered many times in the past. Questions to ponder:

How do I know that “test.exe” is the real test.exe and not notepad.exe having been copied over?
How do I handle two opens to my file by programs that require different actions?
How do I handle the cache manager?
“Shreyas Srivatsan” wrote in message news:xxxxx@ntfsd…
What i am saying is that if the if the file is opened by me exe then i do not want it pass throught the filter i have written. I simply bypass it. Return from it. And as Martin said this exactly the same as the scanner sample does.

Slava_Imameyev · June 13, 2006, 11:04am

IMHO

How do I handle the MEMORY manager?

“David J. Craig” wrote in message news:xxxxx@ntfsd…
Here we go again. This question and others have been asked and answered many times in the past. Questions to ponder:

1) How do I know that “test.exe” is the real test.exe and not notepad.exe having been copied over?
2) How do I handle two opens to my file by programs that require different actions?
3) How do I handle the cache manager?
“Shreyas Srivatsan” wrote in message news:xxxxx@ntfsd…
What i am saying is that if the if the file is opened by me exe then i do not want it pass throught the filter i have written. I simply bypass it. Return from it. And as Martin said this exactly the same as the scanner sample does.

David_J_Craig · June 13, 2006, 7:13pm

The memory manager is not a problem. The only problem is the cache manager which does use the memory manager to handle the cache blocks for the file, but the controller of those blocks is the cache manager. If you can get the cache manager to do what you want, you don’t need to worry about the memory manager as it will do what the cache manager directs it to do.
“Slava Imameyev” wrote in message news:xxxxx@ntfsd…
IMHO

3) How do I handle the MEMORY manager?

“David J. Craig” wrote in message news:xxxxx@ntfsd…
Here we go again. This question and others have been asked and answered many times in the past. Questions to ponder:

1) How do I know that “test.exe” is the real test.exe and not notepad.exe having been copied over?
2) How do I handle two opens to my file by programs that require different actions?
3) How do I handle the cache manager?
“Shreyas Srivatsan” wrote in message news:xxxxx@ntfsd…
What i am saying is that if the if the file is opened by me exe then i do not want it pass throught the filter i have written. I simply bypass it. Return from it. And as Martin said this exactly the same as the scanner sample does.