get process name

NTFSD
1

how to get the name of the process in whose context my driver gets called?

2

Have a helper user-mode service which will call GetModuleFileNameEx in
PSAPI.DLL. This is the most correct way.

Internally, GetModuleFileNameEx calls NtQueryInformationProcess for a PEB
address and then ReadProcessMemory to read the target process’s PEB. The PEB
has an additional structure RTL_USER_PROCESS_PARAMETERS which contains the full
EXE file pathname in Unicode.

You can also do the same sequence in your driver (note: under
__try/__except only, on PASSIVE only, in the correct process context only!),
but this involves undocumented structures, and thus worse then using the
documented API.

Do not try to dig into EPROCESS - the name in EPROCESS is not a full
pathname, it is 8.3 and ANSI. This is the name used by Task Manager - which is
often truncated if it is too long. The new XP’s PsXxx function returns exactly
this truncated pathname from EPROCESS.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Mani”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Thursday, February 02, 2006 11:34 AM
Subject: [ntfsd] get process name

> how to get the name of the process in whose context my driver gets called?
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

3

> Have a helper user-mode service which will call GetModuleFileNameEx in

PSAPI.DLL. This is the most correct way.

Internally, GetModuleFileNameEx calls NtQueryInformationProcess for a
PEB
address and then ReadProcessMemory to read the target process’s PEB. The
PEB
has an additional structure RTL_USER_PROCESS_PARAMETERS which contains the
full
EXE file pathname in Unicode.

Thank you.

You can also do the same sequence in your driver (note: under
__try/__except only, on PASSIVE only, in the correct process context
only!),
but this involves undocumented structures, and thus worse then using the
documented API.

how is this done??