Hi Guys,
I wanted to get information of parent’s parent process. I have registered create process notification and in this call back function I want to get information of grand parent process of current process. Can anybody help me how to get information of parent’s parent of my process. Thanks in advance…
Regards
CKT
in my mind it can’t direatly to do what you want(get information of parent’s parent of my process)
2008-10-24 15:00:47??xxxxx@yahoo.co.in ??
Hi Guys,
I wanted to get information of parent’s parent process. I have registered create process notification and in this call back function I want to get information of grand parent process of current process. Can anybody help me how to . Thanks in advance…Regards
CKT
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminarsYou are currently subscribed to ntfsd as: xxxxx@yeah.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
Please look at the code below to retrieve the PBI (Process Basic
Information) of the parent process of a given process.
typedef NTSTATUS (*QUERY_INFO_PROCESS) (
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
QUERY_INFO_PROCESS ZwQueryInformationProcess;
/*
* Function to get the parent process Id of a given process
*/
NTSTATUS
GetParentProcessId ( __in HANDLE processId,
__out PHANDLE parentProcessId
)
{
NTSTATUS status;
PEPROCESS eProcess;
HANDLE hProcess;
PROCESS_BASIC_INFORMATION pbi;
PAGED_CODE(); // this eliminates the possibility of the IDLE
Thread/Process
if ( processId == (HANDLE) 4 ) { // if system process
*parentProcessId = 0;
return STATUS_SUCCESS;
}
status = PsLookupProcessByProcessId(processId, &eProcess);
if(NT_SUCCESS(status))
{
status = ObOpenObjectByPointer(eProcess,0, NULL,
0,0,KernelMode,&hProcess);
if( ! NT_SUCCESS(status))
{
// DbgPrint(“Error: ObOpenObjectByPointer Failed: %08x\n”,
status);
}
ObDereferenceObject(eProcess);
} else {
//DbgPrint(“Error: PsLookupProcessByProcessId Failed: %08x\n”,
status);
}
if (NULL == ZwQueryInformationProcess) {
UNICODE_STRING routineName;
RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess");
ZwQueryInformationProcess =
(QUERY_INFO_PROCESS) MmGetSystemRoutineAddress(&routineName);
if (NULL == ZwQueryInformationProcess) {
DbgPrint(“Cannot resolve ZwQueryInformationProcess\n”);
}
}
/* Retrieve the process basic information (pbi) from the handle of the
process */
status = ZwQueryInformationProcess( hProcess,
ProcessBasicInformation,
&pbi,
sizeof (PROCESS_BASIC_INFORMATION),
NULL);
if (NT_SUCCESS(status)) {
*parentProcessId = (HANDLE) pbi.InheritedFromUniqueProcessId;
}
return status;
}
You can recursively call GetParentProcessId () till the parentprocessid ==
0, to get the parent, grand parent, great grand parent, so on and so
forth…
Hope this helps!
-subbu
On Fri, Oct 24, 2008 at 12:30 PM, wrote:
> Hi Guys,
> I wanted to get information of parent’s parent process. I have
> registered create process notification and in this call back function I want
> to get information of grand parent process of current process. Can anybody
> help me how to get information of parent’s parent of my process. Thanks in
> advance…
>
> Regards
> CKT
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Keep in mind that this is the process from which handles and address space may be inherited from.
It is not necessarily the process that created a particular process.
I seem to recall that the new (Vista SP1-style) process notification callout provides both the inherit from process and the creator process.
From: Subramanyam GV
Sent: Friday, October 24, 2008 02:21
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Getting parents parent process information in minifilter driver
Please look at the code below to retrieve the PBI (Process Basic Information) of the parent process of a given process.
typedef NTSTATUS (QUERY_INFO_PROCESS) (
in HANDLE ProcessHandle,
in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
QUERY_INFO_PROCESS ZwQueryInformationProcess;
/
* Function to get the parent process Id of a given process
*/
NTSTATUS
GetParentProcessId (__in HANDLE processId,
__out PHANDLE parentProcessId
)
{
NTSTATUS status;
PEPROCESS eProcess;
HANDLE hProcess;
PROCESS_BASIC_INFORMATION pbi;
PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process
if ( processId == (HANDLE) 4 ) { // if system process
parentProcessId = 0;
return STATUS_SUCCESS;
}
status = PsLookupProcessByProcessId(processId, &eProcess);
if(NT_SUCCESS(status))
{
status = ObOpenObjectByPointer(eProcess,0, NULL, 0,0,KernelMode,&hProcess);
if( ! NT_SUCCESS(status))
{
// DbgPrint(“Error: ObOpenObjectByPointer Failed: %08x\n”, status);
}
ObDereferenceObject(eProcess);
} else {
//DbgPrint(“Error: PsLookupProcessByProcessId Failed: %08x\n”, status);
}
if (NULL == ZwQueryInformationProcess) {
UNICODE_STRING routineName;
RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess");
ZwQueryInformationProcess =
(QUERY_INFO_PROCESS) MmGetSystemRoutineAddress(&routineName);
if (NULL == ZwQueryInformationProcess) {
DbgPrint(“Cannot resolve ZwQueryInformationProcess\n”);
}
}
/ Retrieve the process basic information (pbi) from the handle of the process */
status = ZwQueryInformationProcess( hProcess,
ProcessBasicInformation,
&pbi,
sizeof (PROCESS_BASIC_INFORMATION),
NULL);
if (NT_SUCCESS(status)) {
*parentProcessId = (HANDLE) pbi.InheritedFromUniqueProcessId;
}
return status;
}
You can recursively call GetParentProcessId () till the parentprocessid == 0, to get the parent, grand parent, great grand parent, so on and so forth…
Hope this helps!
-subbu
On Fri, Oct 24, 2008 at 12:30 PM, > wrote:
Hi Guys,
I wanted to get information of parent’s parent process. I have registered create process notification and in this call back function I want to get information of grand parent process of current process. Can anybody help me how to get information of parent’s parent of my process. Thanks in advance…
Regards
CKT
—
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@gmail.commailto:xxxxx
To unsubscribe send a blank email to xxxxx@lists.osr.commailto:xxxxx
— NTFSD is sponsored by OSR For our schedule debugging and file system seminars (including our new fs mini-filter seminar) visit: http://www.osr.com/seminars You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com To unsubscribe send a blank email to xxxxx@lists.osr.com</mailto:xxxxx></mailto:xxxxx>
I think that Ps’s create process callback passes you the parent PID
somewhere.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntfsd…
> Hi Guys,
> I wanted to get information of parent’s parent process. I have
> registered create process notification and in this call back function I
> want to get information of grand parent process of current process. Can
> anybody help me how to get information of parent’s parent of my process.
> Thanks in advance…
>
> Regards
> CKT
>
Hi,
Could you elaborate a little on your comment:
I think that Ps’s create process callback passes you the parent PID somewhere.
I’m interested in gathering the parent process id myself, and have scoured the docs for info on this.
What is a Ps’s create process callback? Is this kernel level?
Obviously the comment
It is not necessarily the process that created a particular process.
precludes the use of the code already given here.
Thanks
PS, it’s possible i’ll move this to user level, and hence not require the kernel to walk the parent process ids, but it would reduce the amount of comms between user and kernel if I could determine a given IOP threads process id is a child process of the root process I’m trying to watch.
Ah,
PsSetCreateProcessNotifyRoutine
PsSetCreateProcessNotifyRoutineEx
Odd that it didn’t show up in my searches :-/
PsSetCreateProcessNotificationRoutine/Ex
-----Original Message-----
From: xxxxx@scee.net
Sent: Tuesday, October 28, 2008 09:22
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Getting parents parent process information in minifilter driver
Hi,
Could you elaborate a little on your comment:
> I think that Ps’s create process callback passes you the parent PID somewhere.
I’m interested in gathering the parent process id myself, and have scoured the docs for info on this.
What is a Ps’s create process callback? Is this kernel level?
Obviously the comment
>It is not necessarily the process that created a particular process.
precludes the use of the code already given here.
Thanks
PS, it’s possible i’ll move this to user level, and hence not require the kernel to walk the parent process ids, but it would reduce the amount of comms between user and kernel if I could determine a given IOP threads process id is a child process of the root process I’m trying to watch.
—
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
> What is a Ps’s create process callback? Is this kernel level?
Yes.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
PsSetCreateProcessNotifyRoutine[Ex] -
http://msdn.microsoft.com/en-us/library/ms802952.aspx etc. The
CreateNotifyRoutine[Ex] receives the parent pid - does this work for you?
wrote in message news:xxxxx@ntfsd…
> Hi Guys,
> I wanted to get information of parent’s parent process. I have
> registered create process notification and in this call back function I
> want to get information of grand parent process of current process. Can
> anybody help me how to get information of parent’s parent of my process.
> Thanks in advance…
>
> Regards
> CKT
>
Hi Lyndon,
Well, having read the documentation, I’m not expecting it to, for the use of PsSetCreateProcessNotifyRoutine which is all you have for XP, Win2K.
What posters have neglected to mention is that PsSetCreateProcessNotifyRoutineEx is only available on Vista SP1 + Server 2K8 (according to the docs).
PsSetCreateProcessNotifyRoutine is documented as providing:
ParentId - The input ParentId handle identifies the parent process of the newly-created process
(this is the parent used for priority, affinity, quota, token, and handle inheritance, among others).
which unfortunately sounds distinctly like the id mentioned earlier in this thread, gathered by the posted code (above).
PsSetCreateProcessNotifyRoutineEx however is documented as giving you a:
PPS_CREATE_NOTIFY_INFO pCreateInfo
structure as argument, inside which, there’s
pCreateInfo->ParentProcessId
documented as:
The process ID of the parent process for the new process. Note that the parent process is not necessarily the same process as the process that created the new process. The new process can inherit certain properties of the parent process, such as handles or shared memory. (The process ID of the process creator is given by CreatingThreadId->UniqueProcess.)
And hence I’m using:
pCreateInfo->CreatingThreadId->UniqueProcess;
for the supported platforms.
So, I’m expecting PsSetCreateProcessNotifyRoutineEx to give the correct id, and PsSetCreateProcessNotifyRoutine not to give the correct id, (or should I say in an unreliable for my purposes id).
I’m about to start testing this today. I’ll try to post results up later today.
Regards
Mike
> So, I’m expecting PsSetCreateProcessNotifyRoutineEx to give the correct id, and
PsSetCreateProcessNotifyRoutine not to give the correct id
It gives the correct ID.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
PsSetCreateProcessNotifyRoutine will only give you the parent process id. (To reduce confusion, I would typically refer to that as the “inherit from process id”.)
If you really need the CID of the thread that called NtCreateProcess/Ex or NtCreateUserProcess, then that’s indeed going to not always be the correct process id.
If you want the inherit from process id, then that’s the correct process id.
(As I recall, the documentation for PsSetCreateProcessNotifyRoutineEx indicates that it is new to Srv08 / Vista SP1.)
-----Original Message-----
From: xxxxx@scee.net
Sent: Wednesday, October 29, 2008 05:22
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Getting parents parent process information in minifilter driver
Hi Lyndon,
Well, having read the documentation, I’m not expecting it to, for the use of PsSetCreateProcessNotifyRoutine which is all you have for XP, Win2K.
What posters have neglected to mention is that PsSetCreateProcessNotifyRoutineEx is only available on Vista SP1 + Server 2K8 (according to the docs).
PsSetCreateProcessNotifyRoutine is documented as providing:
ParentId - The input ParentId handle identifies the parent process of the newly-created process
(this is the parent used for priority, affinity, quota, token, and handle inheritance, among others).
which unfortunately sounds distinctly like the id mentioned earlier in this thread, gathered by the posted code (above).
PsSetCreateProcessNotifyRoutineEx however is documented as giving you a:
PPS_CREATE_NOTIFY_INFO pCreateInfo
structure as argument, inside which, there’s
pCreateInfo->ParentProcessId
documented as:
The process ID of the parent process for the new process. Note that the parent process is not necessarily the same process as the process that created the new process. The new process can inherit certain properties of the parent process, such as handles or shared memory. (The process ID of the process creator is given by CreatingThreadId->UniqueProcess.)
And hence I’m using:
pCreateInfo->CreatingThreadId->UniqueProcess;
for the supported platforms.
So, I’m expecting PsSetCreateProcessNotifyRoutineEx to give the correct id, and PsSetCreateProcessNotifyRoutine not to give the correct id, (or should I say in an unreliable for my purposes id).
I’m about to start testing this today. I’ll try to post results up later today.
Regards
Mike
—
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
That depends on which of [creator process, inherit from process] the OP is looking for here.
-----Original Message-----
From: Maxim S. Shatskih
Sent: Wednesday, October 29, 2008 05:47
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Getting parents parent process information in minifilter driver
> So, I’m expecting PsSetCreateProcessNotifyRoutineEx to give the correct id, and
>PsSetCreateProcessNotifyRoutine not to give the correct id
It gives the correct ID.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
—
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com