Hi All,
I am trying to do something that many people have already tried (and have
done probably). In the File System Filter Driver, is there a fool proof way
to get hold of the User-Process “Process ID” that actually created the File
I/O request?
I have used the PsGetCurrentProcessID() KPI and it seems to work. But
searching through the newsgroup messages, everybody suggests that that
IoGetRequestorProcessID() is the right way to go.
IoGetRequestorProcessID() will also not work in the cases where an upper
filter creates its own IRP to satisfy the request. I do understand why even
IoGetRequestorProcessID wouldn’t work in this scenario?
What I would like to know is, is there any other sure fire way to get the
Process ID of the User-Process that actually created the File I/O request?
And PS routines gives notifications of Process/Thread/Module
creation/death. But using this, how can we match the Process ID of the IRP
with the actual requestor, i.e. the User Process’s Process ID.
Instead to get the Process ID of the “Actual” requestor, should we not be
talking to the I/O manager to find out on whose behalf has this IRP been
generated ?
But I have a feeling that this solution of querying the I/O manager will
also break if a user-mode driver changes the request and then forwards it to
the I/O Manager.
So is there no way to get the actual requestor’s Process ID on Windows at
this level?
Any pointers/info would be much appreciated.
thanx in advance,
Kedar.
Catch the formula fever! Get all the latest news.
http://www.msn.co.in/formula2004/ Right here on MSN.