Hi,
I am enumerating open handles of currently running processes in the system by calling NtQuerySystemInformation from user mode. I get a series of SYSTEM_HANDLE_ENTRY structures (defined in winternl.h) if the call succeeds.
To get additional information about these handles, I have to pass the SYSTEM_HANDLE_ENTRY::ObjectPointer to a kernel mode driver.
The additional information I’m interested in is the complete file path of file handles.
Is there a way to identify whether the SYSTEM_HANDLE_ENTRY::ObjectPointer points to a file or a folder or network device, etc. before passing the SYSTEM_HANDLE_ENTRY structure to the driver?
Presently, I have to retrieve the device path and the file path, then convert the path from dos device format to disk volume format. Then, I have to open the file and check its attributes to discover whether it is a file or a folder, etc. I want to save the time I’m going to spend for every SYSTEM_HANDLE_ENTRY object.
Is there any other better way to retrieve full paths of files opened by currently running processes?
-
What are you actually trying to accomplish? There may be a better way.
-
It is not safe to be passing the object pointer up to a driver and then just deref it from the driver. Please do not write code to do this as that approach is fundamentally unstable.
-----Original Message-----
From: xxxxx@gmail.com
Sent: Monday, February 22, 2010 22:14
To: Windows System Software Devs Interest List
Subject: [ntdev] Handle info using NtQuerySystemInformation: How to differentiate files from folders
Hi,
I am enumerating open handles of currently running processes in the system by calling NtQuerySystemInformation from user mode. I get a series of SYSTEM_HANDLE_ENTRY structures (defined in winternl.h) if the call succeeds.
To get additional information about these handles, I have to pass the SYSTEM_HANDLE_ENTRY::ObjectPointer to a kernel mode driver.
The additional information I’m interested in is the complete file path of file handles.
Is there a way to identify whether the SYSTEM_HANDLE_ENTRY::ObjectPointer points to a file or a folder or network device, etc. before passing the SYSTEM_HANDLE_ENTRY structure to the driver?
Presently, I have to retrieve the device path and the file path, then convert the path from dos device format to disk volume format. Then, I have to open the file and check its attributes to discover whether it is a file or a folder, etc. I want to save the time I’m going to spend for every SYSTEM_HANDLE_ENTRY object.
Is there any other better way to retrieve full paths of files opened by currently running processes?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Hi Ken,
Thanks for your reply.
Here is what I want to do:
Get a list of files currently opened by all running processes in the system.
I want the paths of these files.
Can you suggest me of a known stable approach to do that?
It’d be great if I can do it in user mode; although it wouldn’t be much of a problem if it needs to be done in kernel mode.
Thanks
What do you want to do with that information?
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, February 23, 2010 8:41 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Handle info using NtQuerySystemInformation: How to differentiate files from folders
Hi Ken,
Thanks for your reply.
Here is what I want to do:
Get a list of files currently opened by all running processes in the system.
I want the paths of these files.
Can you suggest me of a known stable approach to do that?
It’d be great if I can do it in user mode; although it wouldn’t be much of a problem if it needs to be done in kernel mode.
Thanks
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I’m writing a process explorer like tool, the only difference being that it will display only the opened files and ignore all other objects like events, mutexes, pipes, etc.
Earlier I tried using NtQueryObject from user mode, but the function call would never return and my application would hang if the handle belonged to a pipe.
Then I found an article on another forum saying that SysInternals’ process explorer uses a driver to deref SYSTEM_HANDLE_ENTRY::ObjectPointer and retrieves the required info. So I tried using it and got the necessary output.
Now I want to identify a handle to be of a disk file before trying to retrieve its path using the driver.
But if you know a better approach to achieve my output, I’d really like to know about it.
I tried retrieving object attributes using NtQueryObject(ObjectBasicInformation) on SYSTEM_HANDLE_ENTRY::HandleValue.
I was expecting I might get values using which I can distinguish between files and directories, at least.
But all objects (files, directories, pipes, etc.) had the same attribute value.
Can anybody at least tell me whether it is possible to identify whether the handle belongs to a file or a directory?
>SYSTEM_HANDLE_ENTRY::HandleValue.
Use Win32 file-related calls on this handle to get the attributes, pathnames etc.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Hi Maxim,
I have tried using GetFileType(HANDLE) earlier on SYSTEM_HANDLE_ENTRY::HandleValue before but if the handle belongs to a pipe, the call to GetFileType() never returns and my application hangs. The call succeeds for handles belonging to files, folders, etc.
> I have tried using GetFileType(HANDLE) earlier on SYSTEM_HANDLE_ENTRY::HandleValue
before but if the handle belongs to a pipe, the call to GetFileType() never returns and my application
hangs.
This is a well-known bug in NPFS. If the pipe has a pending read request which is not satisfied yet - GetFileType hangs waiting for read to be satisfied.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Hi Maxim,
Thanks for your reply.
I read about some workarounds on SysInternals’ Forums that call GetFileType() from a thread and terminate the thread if it doesn’t return in a specified period of time. This way our application will not hang and we can continue processing the other retrieved handles.
But it might as well happen that a pending read request on the pipe gets satisfied and the call may return successfully. So we cannot use this approach to distinguish between a file and a pipe.
Even retrieving the file path by dereferencing the SYSTEM_HANDLE_ENTRY::ObjectPointer won’t work. Because after retrieving the filepath, if we’re thinking of opening the file and getting its attributes then it might happen that a process has opened the file in exclusive mode and our Open operation will fail.
I wonder whether GetFileAttributes(TCHAR *pcszFIlePath) might work!!
Need to try it out.
But as of now, it looks like there isn’t a way to distinguish between a file and a pipe from the SYSTEM_HANDLE_ENTRY structure.
Is there any field in the PFILE_OBJECT structure that can be used to identify the type of the object?
> Is there any field in the PFILE_OBJECT structure that can be used to identify the type of the object?
IoGetRelatedDeviceObject, then look at DeviceType field there.
This is what GetFileType uses internally.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Terminating the thread like this is never safe and will ultimately corrupt your process. (For instance the thread could own the heap or loader lock and be manipulating those structures during init/teardown when you kill it.)
This is not an approach advisable for customer-shipping code outside of diagnostics tools.
-----Original Message-----
From: xxxxx@gmail.com
Sent: Wednesday, March 03, 2010 4:43
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Handle info using NtQuerySystemInformation: How to differentiate files from folders
Hi Maxim,
Thanks for your reply.
I read about some workarounds on SysInternals’ Forums that call GetFileType() from a thread and terminate the thread if it doesn’t return in a specified period of time. This way our application will not hang and we can continue processing the other retrieved handles.
But it might as well happen that a pending read request on the pipe gets satisfied and the call may return successfully. So we cannot use this approach to distinguish between a file and a pipe.
Even retrieving the file path by dereferencing the SYSTEM_HANDLE_ENTRY::ObjectPointer won’t work. Because after retrieving the filepath, if we’re thinking of opening the file and getting its attributes then it might happen that a process has opened the file in exclusive mode and our Open operation will fail.
I wonder whether GetFileAttributes(TCHAR *pcszFIlePath) might work!!
Need to try it out.
But as of now, it looks like there isn’t a way to distinguish between a file and a pipe from the SYSTEM_HANDLE_ENTRY structure.
Is there any field in the PFILE_OBJECT structure that can be used to identify the type of the object?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer