I am developing a filter driver that reports file activity. Part of the information I need to gather is the name of the process image that generated the file activity. I followed an article posted here http://www.osronline.com/article.cfm?article=472 and that code works great, except that the paths returned from ZwQueryInformationProcess do not start with a driver letter or share name.
So my question is how can I convert the path returned from ZwQueryInformationProcess to one that starts with a drive letter or a UNC path if the process is run from a share?
I looked into using IoQueryFileDosDeviceName, but I am not sure how best to go about getting a file object for the process when all I have is a path.
No need to relay on drive letter better bet for the volume guid cz on changing the volume name its is not going to change and also on changing from basic to dynamic disk guid remains the same.
Thank you for your help, FltGetVolumeFromName looks like a promising approach. It seems like a lot of string manipulation to isolate the volume name, then more string manipulation to build the final string. Also, I didn’t read in the documentation that this will work for paths that need UNC translation via the MUP.
Would it be easier to get a file object and then call IoQueryFileDosDeviceName? Would I need to call FltCreateFile to get a file object?
MUP names do not have volume GUIDs, thus you cannot use this approach. Then again, you only get to choose to filter everything on MUP or nothing on MUP - there are no “volumes”.
Provided that you are able to handle failure of this (and related) calls, you can certainly go down this path. I would strongly encourage you to make sure you test with mount point volumes - no drive letter - as well as with aliased drive letters (so multiple drive letters pointing to the same volume ) to ensure that you are properly handling those scenarios.
The reason to use the GUID approach is that it works for the full range of physical volumes. Network volumes (ergo MUP on Vista and more recent) present through MUP normally (I say “normally” because network redirectors that do not register as UNC providers are not visible to MUP and in the pre-Vista days redirectors registered as file system drivers and thus could be attached independent of MUP).
>starts with a drive letter or a UNC path if the process is run from a share?
Appeal to Microsoft: is it not a good idea to ban any EXE/DLL load from SMB/CIFS (and other UNC/MUP/NP DLL-based redirs), probably by a Group Policy flag?
In any usual scenario of Windows use, it is not employed.
It is only supported for orthogonality, i.e. “SMB redir is an FS, so, it should support CreateFileMapping(SEC_IMAGE) in the way all FSs do”.
