How to define that process is stopped?

I wrote cash algorithm which keeps some information for active processes inside driver.

The problem is algorithm which destroy appropriate process record, when process is terminated.
I tried to use ProcessNotifyRoutine(). But I see, after driver receive appropriate notification , some callbacks (Registry) continue to be called for terminated PID!?!
It means, that Notification comes BEFORE process is really destroyed, not after.

The question:
How to define that Process is really killed?
I mean the state when all process threads are destroyed and no more callbacks for it be executed.

Thanks,
Regards,
Michael.

PS. Currently I realized appropriate algorithm as garbage collector. But I very unlike this solution. :frowning:

Would KeWaitForSingleObject() work for you? You can wait on the process
object to be signaled. This will ensure the process has been terminated.

– Jamey

On Tue, Jan 6, 2015 at 5:05 AM, wrote:

> I wrote cash algorithm which keeps some information for active processes
> inside driver.
>
> The problem is algorithm which destroy appropriate process record, when
> process is terminated.
> I tried to use ProcessNotifyRoutine(). But I see, after driver receive
> appropriate notification , some callbacks (Registry) continue to be called
> for terminated PID!?!
> It means, that Notification comes BEFORE process is really destroyed, not
> after.
>
> The question:
> How to define that Process is really killed?
> I mean the state when all process threads are destroyed and no more
> callbacks for it be executed.
>
> Thanks,
> Regards,
> Michael.
>
> PS. Currently I realized appropriate algorithm as garbage collector. But I
> very unlike this solution. :frowning:
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


Jamey Kirby
Disrupting the establishment since 1964

This is a personal email account and as such, emails are not subject to
archiving. Nothing else really matters.

Jamey,
thank you for replay!

My 1-st look was - you right, way I did not think about!?! :slight_smile:

But my 2-nd look in MSDN (http://msdn.microsoft.com/en-us/library/windows/hardware/ff553350(v=vs.85).aspx):

KeWaitForSingleObject( Object, …)

Object [in]
Pointer to an initialized dispatcher object (event, mutex, semaphore, thread, or timer) for which the caller supplies the storage.

There is no process handle inside the list. :frowning:
And it’s probably correct - process has the handle but it is not object of dispatcher.

But I will try it, if other recommendation would not coming. :slight_smile:

Thanks a lot,
Michael.

I believe you can wait on a process object. There is a dispatcher. I see no
reason why it would not work. I have not tried it.

On Tue, Jan 6, 2015 at 10:53 AM, wrote:

> Jamey,
> thank you for replay!
>
> My 1-st look was - you right, way I did not think about!?! :slight_smile:
>
> But my 2-nd look in MSDN (
> http://msdn.microsoft.com/en-us/library/windows/hardware/ff553350(v=vs.85).aspx
> ):
>
> KeWaitForSingleObject( Object, …)
>
> Object [in]
> Pointer to an initialized dispatcher object (event, mutex, semaphore,
> thread, or timer) for which the caller supplies the storage.
>
> There is no process handle inside the list. :frowning:
> And it’s probably correct - process has the handle but it is not object of
> dispatcher.
>
> But I will try it, if other recommendation would not coming. :slight_smile:
>
> Thanks a lot,
> Michael.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


Jamey Kirby
Disrupting the establishment since 1964

This is a personal email account and as such, emails are not subject to
archiving. Nothing else really matters.

A process is a waitable object.