How to determine whether the current thread is in system process context?

Hello,

Is it correct to compare the process id returned by
IoGetRequestorProcessId() to 4? I couldn’t find any document for
determination of a system process context.

Regards,
Shangwu

That number has changed over time so this is not a good idea. Why do you
think you need this?


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Shangwu” wrote in message news:xxxxx@ntfsd…
> Hello,
>
> Is it correct to compare the process id returned by
> IoGetRequestorProcessId() to 4? I couldn’t find any document for
> determination of a system process context.
>
> Regards,
> Shangwu
>
>

Hi Don,

Thank you for replying. I need to check if a request comes from network or
local. The OSR’s Q59 says to examine the process context firstly. But it
does not say how to examine.

Regards,
Shangwu

“Don Burn” wrote in message news:xxxxx@ntfsd…
> That number has changed over time so this is not a good idea. Why do you
> think you need this?
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
> “Shangwu” wrote in message news:xxxxx@ntfsd…
>> Hello,
>>
>> Is it correct to compare the process id returned by
>> IoGetRequestorProcessId() to 4? I couldn’t find any document for
>> determination of a system process context.
>>
>> Regards,
>> Shangwu
>>
>>
>
>
>

There may be a better way, hopefully OSR will speak up. DriverEntry is
always called in the context of the system process. Save the current
process ID at driver entry time, then use it for the compare.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Shangwu” wrote in message news:xxxxx@ntfsd…
> Hi Don,
>
> Thank you for replying. I need to check if a request comes from network or
> local. The OSR’s Q59 says to examine the process context firstly. But it
> does not say how to examine.
>
> Regards,
> Shangwu
>
> “Don Burn” wrote in message news:xxxxx@ntfsd…
>> That number has changed over time so this is not a good idea. Why do you
>> think you need this?
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Remove StopSpam from the email to reply
>>
>>
>>
>> “Shangwu” wrote in message news:xxxxx@ntfsd…
>>> Hello,
>>>
>>> Is it correct to compare the process id returned by
>>> IoGetRequestorProcessId() to 4? I couldn’t find any document for
>>> determination of a system process context.
>>>
>>> Regards,
>>> Shangwu
>>>
>>>
>>
>>
>>
>
>
>

Yeah, I am thinking to do that now. Is there only one system process running
in kernel mode? I am not sure whether it is the same process that calls
DriverEntry when it impersonate a network request.

Regards,
Shangwu

“Don Burn” wrote in message news:xxxxx@ntfsd…
> There may be a better way, hopefully OSR will speak up. DriverEntry is
> always called in the context of the system process. Save the current
> process ID at driver entry time, then use it for the compare.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
> “Shangwu” wrote in message news:xxxxx@ntfsd…
>> Hi Don,
>>
>> Thank you for replying. I need to check if a request comes from network
>> or local. The OSR’s Q59 says to examine the process context firstly. But
>> it does not say how to examine.
>>
>> Regards,
>> Shangwu
>>
>> “Don Burn” wrote in message news:xxxxx@ntfsd…
>>> That number has changed over time so this is not a good idea. Why do
>>> you think you need this?
>>>
>>>
>>> –
>>> Don Burn (MVP, Windows DDK)
>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>> Remove StopSpam from the email to reply
>>>
>>>
>>>
>>> “Shangwu” wrote in message news:xxxxx@ntfsd…
>>>> Hello,
>>>>
>>>> Is it correct to compare the process id returned by
>>>> IoGetRequestorProcessId() to 4? I couldn’t find any document for
>>>> determination of a system process context.
>>>>
>>>> Regards,
>>>> Shangwu
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>

I also think comparing the ID and checking if it’s smaller than or equal to
4 is more safe but there is also IoIsSystemThread or PsIsSystemThread.

Regards,

Daniel Terhell
Resplendence Software Projects Sp
xxxxx@resplendence.com
http://www.resplendence.com

“Shangwu” wrote in message news:xxxxx@ntfsd…
> Yeah, I am thinking to do that now. Is there only one system process
> running in kernel mode? I am not sure whether it is the same process that
> calls DriverEntry when it impersonate a network request.
>
> Regards,
> Shangwu
>
> “Don Burn” wrote in message news:xxxxx@ntfsd…
>> There may be a better way, hopefully OSR will speak up. DriverEntry is
>> always called in the context of the system process. Save the current
>> process ID at driver entry time, then use it for the compare.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Remove StopSpam from the email to reply
>>
>>
>> “Shangwu” wrote in message news:xxxxx@ntfsd…
>>> Hi Don,
>>>
>>> Thank you for replying. I need to check if a request comes from network
>>> or local. The OSR’s Q59 says to examine the process context firstly. But
>>> it does not say how to examine.
>>>
>>> Regards,
>>> Shangwu
>>>
>>> “Don Burn” wrote in message news:xxxxx@ntfsd…
>>>> That number has changed over time so this is not a good idea. Why do
>>>> you think you need this?
>>>>
>>>>
>>>> –
>>>> Don Burn (MVP, Windows DDK)
>>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>>> Remove StopSpam from the email to reply
>>>>
>>>>
>>>>
>>>> “Shangwu” wrote in message news:xxxxx@ntfsd…
>>>>> Hello,
>>>>>
>>>>> Is it correct to compare the process id returned by
>>>>> IoGetRequestorProcessId() to 4? I couldn’t find any document for
>>>>> determination of a system process context.
>>>>>
>>>>> Regards,
>>>>> Shangwu
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>

Another thought is to not rely on impersination. I worked on a driver once
where we created a service component. The service ran in its own login
context. The service called an IOCTL to the driver. The IOCTL created a
system thread in the context of the service process. Since this service was
given proper network rights,the driver could do all the network IO it wanted
to without worrying about impersination.

Just some thoughts…

Jamey
----- Original Message -----
From: “Daniel Terhell”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, April 06, 2005 10:05 AM
Subject: Re:[ntfsd] How to determine whether the current thread is in system
process context?

>I also think comparing the ID and checking if it’s smaller than or equal to
>4 is more safe but there is also IoIsSystemThread or PsIsSystemThread.
>
> Regards,
>
> Daniel Terhell
> Resplendence Software Projects Sp
> xxxxx@resplendence.com
> http://www.resplendence.com
>
>
>
>
> “Shangwu” wrote in message news:xxxxx@ntfsd…
>> Yeah, I am thinking to do that now. Is there only one system process
>> running in kernel mode? I am not sure whether it is the same process that
>> calls DriverEntry when it impersonate a network request.
>>
>> Regards,
>> Shangwu
>>
>> “Don Burn” wrote in message news:xxxxx@ntfsd…
>>> There may be a better way, hopefully OSR will speak up. DriverEntry is
>>> always called in the context of the system process. Save the current
>>> process ID at driver entry time, then use it for the compare.
>>>
>>>
>>> –
>>> Don Burn (MVP, Windows DDK)
>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>> Remove StopSpam from the email to reply
>>>
>>>
>>> “Shangwu” wrote in message news:xxxxx@ntfsd…
>>>> Hi Don,
>>>>
>>>> Thank you for replying. I need to check if a request comes from network
>>>> or local. The OSR’s Q59 says to examine the process context firstly.
>>>> But it does not say how to examine.
>>>>
>>>> Regards,
>>>> Shangwu
>>>>
>>>> “Don Burn” wrote in message news:xxxxx@ntfsd…
>>>>> That number has changed over time so this is not a good idea. Why do
>>>>> you think you need this?
>>>>>
>>>>>
>>>>> –
>>>>> Don Burn (MVP, Windows DDK)
>>>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>>>> Remove StopSpam from the email to reply
>>>>>
>>>>>
>>>>>
>>>>> “Shangwu” wrote in message news:xxxxx@ntfsd…
>>>>>> Hello,
>>>>>>
>>>>>> Is it correct to compare the process id returned by
>>>>>> IoGetRequestorProcessId() to 4? I couldn’t find any document for
>>>>>> determination of a system process context.
>>>>>>
>>>>>> Regards,
>>>>>> Shangwu
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@tfb.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> NOD32 1.1046 (20050405) Information
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>

Daniel,

Thank you for the information. I will try the functions.

Regards,
Shangwu

“Daniel Terhell” wrote in message
news:xxxxx@ntfsd…
>I also think comparing the ID and checking if it’s smaller than or equal to
>4 is more safe but there is also IoIsSystemThread or PsIsSystemThread.
>
> Regards,
>
> Daniel Terhell
> Resplendence Software Projects Sp
> xxxxx@resplendence.com
> http://www.resplendence.com
>
>
>
>
> “Shangwu” wrote in message news:xxxxx@ntfsd…
>> Yeah, I am thinking to do that now. Is there only one system process
>> running in kernel mode? I am not sure whether it is the same process that
>> calls DriverEntry when it impersonate a network request.
>>
>> Regards,
>> Shangwu
>>
>> “Don Burn” wrote in message news:xxxxx@ntfsd…
>>> There may be a better way, hopefully OSR will speak up. DriverEntry is
>>> always called in the context of the system process. Save the current
>>> process ID at driver entry time, then use it for the compare.
>>>
>>>
>>> –
>>> Don Burn (MVP, Windows DDK)
>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>> Remove StopSpam from the email to reply
>>>
>>>
>>> “Shangwu” wrote in message news:xxxxx@ntfsd…
>>>> Hi Don,
>>>>
>>>> Thank you for replying. I need to check if a request comes from network
>>>> or local. The OSR’s Q59 says to examine the process context firstly.
>>>> But it does not say how to examine.
>>>>
>>>> Regards,
>>>> Shangwu
>>>>
>>>> “Don Burn” wrote in message news:xxxxx@ntfsd…
>>>>> That number has changed over time so this is not a good idea. Why do
>>>>> you think you need this?
>>>>>
>>>>>
>>>>> –
>>>>> Don Burn (MVP, Windows DDK)
>>>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>>>> Remove StopSpam from the email to reply
>>>>>
>>>>>
>>>>>
>>>>> “Shangwu” wrote in message news:xxxxx@ntfsd…
>>>>>> Hello,
>>>>>>
>>>>>> Is it correct to compare the process id returned by
>>>>>> IoGetRequestorProcessId() to 4? I couldn’t find any document for
>>>>>> determination of a system process context.
>>>>>>
>>>>>> Regards,
>>>>>> Shangwu
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>

In DriverEntry store away the current Process address, as that is the
system process. In the future, you can compare this against the current
process to determine if you are in system process context.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Busy teaching file systems in Boston - if you didn’t make it, see you in
Palo Alto in the fall '05!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Shangwu
Sent: Wednesday, April 06, 2005 10:57 AM
To: ntfsd redirect
Subject: [ntfsd] How to determine whether the current thread is in
system process context?

Hello,

Is it correct to compare the process id returned by
IoGetRequestorProcessId() to 4? I couldn’t find any document for
determination of a system process context.

Regards,
Shangwu


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Thank you Tony for the information.

Regards,
Shangwu

“Tony Mason” wrote in message news:xxxxx@ntfsd…
In DriverEntry store away the current Process address, as that is the
system process. In the future, you can compare this against the current
process to determine if you are in system process context.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Busy teaching file systems in Boston - if you didn’t make it, see you in
Palo Alto in the fall '05!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Shangwu
Sent: Wednesday, April 06, 2005 10:57 AM
To: ntfsd redirect
Subject: [ntfsd] How to determine whether the current thread is in
system process context?

Hello,

Is it correct to compare the process id returned by
IoGetRequestorProcessId() to 4? I couldn’t find any document for
determination of a system process context.

Regards,
Shangwu


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com