Finding the creating process

Shreyas_Srivatsan · June 14, 2006, 2:17am

I tried sending to the user mode and then
OpenProcess()
and GetModuleFileNameEx()
The handle i get. But in the GetModuleFileNameEx i am getting an error. Its
returning error code 998 meaning invalid memory access. Why is this??
And also what is the header library needed to run this function
PsGetProcessImageFileName

OSR_Community_User · June 14, 2006, 5:23am

There are multiple api’s to convert a pid to a process path, if that
doesn’t work, try CreateToolhelp32Snapshot.

You know, there is a thing out there called Google, learn too use it.
This stuff isn’t hard to find, it’s quite simple,
quite being a lazy ass.

Matt

Shreyas Srivatsan wrote:

I tried sending to the user mode and then
OpenProcess()
and GetModuleFileNameEx()
The handle i get. But in the GetModuleFileNameEx i am getting an
error. Its returning error code 998 meaning invalid memory access. Why
is this??
And also what is the header library needed to run this function
PsGetProcessImageFileName
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe send a
blank email to xxxxx@lists.osr.com

Slava_Imameyev · June 14, 2006, 5:25am

I do not think so. Yes, the Cache manager is only the client of the memory manager( though they are tightly coupled ), but the same segment is shared by mapped files.

“David J. Craig” wrote in message news:xxxxx@ntfsd…
The memory manager is not a problem. The only problem is the cache manager which does use the memory manager to handle the cache blocks for the file, but the controller of those blocks is the cache manager. If you can get the cache manager to do what you want, you don’t need to worry about the memory manager as it will do what the cache manager directs it to do.
“Slava Imameyev” wrote in message news:xxxxx@ntfsd…
IMHO

3) How do I handle the MEMORY manager?

“David J. Craig” wrote in message news:xxxxx@ntfsd…
Here we go again. This question and others have been asked and answered many times in the past. Questions to ponder:

1) How do I know that “test.exe” is the real test.exe and not notepad.exe having been copied over?
2) How do I handle two opens to my file by programs that require different actions?
3) How do I handle the cache manager?
“Shreyas Srivatsan” wrote in message news:xxxxx@ntfsd…
What i am saying is that if the if the file is opened by me exe then i do not want it pass throught the filter i have written. I simply bypass it. Return from it. And as Martin said this exactly the same as the scanner sample does.

Shreyas_Srivatsan · June 14, 2006, 5:30am

I have been using google only from then. And have done the same as specified
there. But it is saying cannot find the function psgetprocessimagefilename…
and i cant even find this fn in any header. So i tried using the EPROCESS
structure to get the file name…
filter\scanner.c(985) : error C2037: left of ‘ImageFileName’ specifies
undefined
struct/union ‘_KPROCESS’
Trying to figure that out now. And when i tried the user mode thing u said
its giving access invalid when i do getmodulefilenameex.

OSR_Community_User · June 14, 2006, 5:47am

as I just said, there are other ways to get the path in usermode, I just
gave you an api I used in a project of mine. And the kernel function
your looking for is
undocumented, and second, it only works on xp and above, and third only
gives the filename and not path if I remember correctly, however, I
can’t look that
up because it’s an undocumented function, thus, not intinded for you to use.

Shreyas Srivatsan wrote:

I have been using google only from then. And have done the same as
specified there. But it is saying cannot find the function
psgetprocessimagefilename…
and i cant even find this fn in any header. So i tried using the
EPROCESS structure to get the file name…
filter\scanner.c(985) : error C2037: left of ‘ImageFileName’ specifies
undefined
struct/union ‘_KPROCESS’
Trying to figure that out now. And when i tried the user mode thing u
said its giving access invalid when i do getmodulefilenameex.
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe send a
blank email to xxxxx@lists.osr.com

Shreyas_Srivatsan · June 14, 2006, 6:03am

Yeah i realised that. Anyway i got it working using
CreateHelpTool32Snapshot.
Will see if i can use somethin else later. For the time being this is fine.

OSR_Community_User · June 14, 2006, 8:05pm

Do you need the PID or the security context of the process?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Shreyas Srivatsan”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, June 13, 2006 9:48 AM
Subject: [ntfsd] Finding the creating process

> Is there anyway i can find out which process is opening a file? The point is
> that if a certain process is opening a file i do not want to perform any
> operations on it. Otherwise i want to.
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · June 14, 2006, 8:09pm

That is another long song of “how to get the full EXE pathname of the
process”. IIRC there is a ZwQuerySystemInformation (or
ZwQueryInformationProcess?) call from XP up to do this.

It is also exposed to user mode via some documented wrapper function in
kernel32 (forgot its name, no, it is not psapi!GetModuleHandleEx which is
deprecated, though Windows Firewall in XP SP2 still uses it).

Search this forum archives, you will find this new documented XP+ Win32
function, and the discussion about the underlying ZwXxx syscall which
implements it.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Shreyas Srivatsan”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, June 13, 2006 10:23 AM
Subject: [ntfsd] Finding the creating process

> This is fine. but wont the requestor process id change everytime it is run??
> So how can i relate the id i get to a certain executable say “test.exe” so
> that the files opened by “test.exe” i do not have to do any work on.
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · June 14, 2006, 8:13pm

>I do not understand- you want to cancel opening of the file or you want to
allow

open it but cancel any operations on it? If you want to cancel the file
opening it is
OK, if you want to cancel all operations( but allow to open the file or the
file had
been opened before your driver was load ) it is not good.

Yes, the correct way is to fail MJ_CREATE with proper DesiredAccess as
STATUS_ACCESS_DENIED.

Allowing CREATE and then failing the operations will cause unpredictable
results on the apps.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · June 16, 2006, 1:02pm

> I tried sending to the user mode and then OpenProcess() and GetModuleFileNameEx()

The handle i get. But in the GetModuleFileNameEx i am getting an error. Its returning error
code 998 meaning invalid memory access. Why is this??

Sigh, people. Sorry to be that harsh, but you have not
a clue what you are doing. I am not giving you any advice
because it’s totally useless, as long as you don’t have
enough knowledge to deal with those problems.

L.