I wrote cash algorithm which keeps some information for active processes inside driver.
The problem is algorithm which destroy appropriate process record, when process is terminated.
I tried to use ProcessNotifyRoutine(). But I see, after driver receive appropriate notification , some callbacks (Registry) continue to be called for terminated PID!?!
It means, that Notification comes BEFORE process is really destroyed, not after.
The question:
How to define that Process is really killed?
I mean the state when all process threads are destroyed and no more callbacks for it be executed.
Thanks,
Regards,
Michael.
PS. Currently I realized appropriate algorithm as garbage collector. But I very unlike this solution. 
Would KeWaitForSingleObject() work for you? You can wait on the process
object to be signaled. This will ensure the process has been terminated.
– Jamey
On Tue, Jan 6, 2015 at 5:05 AM, wrote:
> I wrote cash algorithm which keeps some information for active processes
> inside driver.
>
> The problem is algorithm which destroy appropriate process record, when
> process is terminated.
> I tried to use ProcessNotifyRoutine(). But I see, after driver receive
> appropriate notification , some callbacks (Registry) continue to be called
> for terminated PID!?!
> It means, that Notification comes BEFORE process is really destroyed, not
> after.
>
> The question:
> How to define that Process is really killed?
> I mean the state when all process threads are destroyed and no more
> callbacks for it be executed.
>
> Thanks,
> Regards,
> Michael.
>
> PS. Currently I realized appropriate algorithm as garbage collector. But I
> very unlike this solution. 
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
Jamey Kirby
Disrupting the establishment since 1964
This is a personal email account and as such, emails are not subject to
archiving. Nothing else really matters.
Jamey,
thank you for replay!
My 1-st look was - you right, way I did not think about!?! 
But my 2-nd look in MSDN (http://msdn.microsoft.com/en-us/library/windows/hardware/ff553350(v=vs.85).aspx):
KeWaitForSingleObject( Object, …)
Object [in]
Pointer to an initialized dispatcher object (event, mutex, semaphore, thread, or timer) for which the caller supplies the storage.
There is no process handle inside the list. 
And it’s probably correct - process has the handle but it is not object of dispatcher.
But I will try it, if other recommendation would not coming. 
Thanks a lot,
Michael.
I believe you can wait on a process object. There is a dispatcher. I see no
reason why it would not work. I have not tried it.
On Tue, Jan 6, 2015 at 10:53 AM, wrote:
> Jamey,
> thank you for replay!
>
> My 1-st look was - you right, way I did not think about!?! 
>
> But my 2-nd look in MSDN (
> http://msdn.microsoft.com/en-us/library/windows/hardware/ff553350(v=vs.85).aspx
> ):
>
> KeWaitForSingleObject( Object, …)
>
> Object [in]
> Pointer to an initialized dispatcher object (event, mutex, semaphore,
> thread, or timer) for which the caller supplies the storage.
>
> There is no process handle inside the list. 
> And it’s probably correct - process has the handle but it is not object of
> dispatcher.
>
> But I will try it, if other recommendation would not coming. 
>
> Thanks a lot,
> Michael.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
Jamey Kirby
Disrupting the establishment since 1964
This is a personal email account and as such, emails are not subject to
archiving. Nothing else really matters.
A process is a waitable object.