In my project,i should get the parent pid about the current process.But
the PsGetCurrentProcessId() olny get the current process id,so how to
get the parent process id from the EPROCESS struck?Thanks a lot.
call NtQueryInformationProcess with using ProcessBasicInfo
it returns parent id in
PROCESS_BASIC_INFORMATION::InheritedFromUniqueProcessId
structure and function prototype is defined in ntifs.h
Petr Kurtin
“macro” wrote in message news:xxxxx@ntdev…
> In my project,i should get the parent pid about the current process.But
> the PsGetCurrentProcessId() olny get the current process id,so how to
> get the parent process id from the EPROCESS struck?Thanks a lot.
>
Of course you should realize that InheritedFromUniqueProcessId does not have
to be the parent. This is controllable from the NtCreateProcess call, and
can be something other than parent, or not valid at all.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Petr Kurtin” wrote in message news:xxxxx@ntdev…
> call NtQueryInformationProcess with using ProcessBasicInfo
> it returns parent id in
> PROCESS_BASIC_INFORMATION::InheritedFromUniqueProcessId
> structure and function prototype is defined in ntifs.h
>
> Petr Kurtin
>
> “macro” wrote in message news:xxxxx@ntdev…
>> In my project,i should get the parent pid about the current process.But
>> the PsGetCurrentProcessId() olny get the current process id,so how to
>> get the parent process id from the EPROCESS struck?Thanks a lot.
>>
>
>
Why do you think InheritedFromUniqueProcessId is not always parent id?
InheritedFromUniqueProcessId is NULL only for system process, otherwise it
should be valid
of course, dont call NtQueryInformationProcess but ZwQueryInformationProcess
Petr Kurtin
“Don Burn” wrote in message news:xxxxx@ntdev…
> Of course you should realize that InheritedFromUniqueProcessId does not
> have to be the parent. This is controllable from the NtCreateProcess
> call, and can be something other than parent, or not valid at all.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
> “Petr Kurtin” wrote in message news:xxxxx@ntdev…
>> call NtQueryInformationProcess with using ProcessBasicInfo
>> it returns parent id in
>> PROCESS_BASIC_INFORMATION::InheritedFromUniqueProcessId
>> structure and function prototype is defined in ntifs.h
>>
>> Petr Kurtin
>>
>> “macro” wrote in message news:xxxxx@ntdev…
>>> In my project,i should get the parent pid about the current process.But
>>> the PsGetCurrentProcessId() olny get the current process id,so how to
>>> get the parent process id from the EPROCESS struck?Thanks a lot.
>>>
>>
>>
>
>
>
Well, since you can call it with different parameters and the
ZwCreateProcess code handles this, making this assumption can get you in a
lot of potential trouble. I concur that for most cases you will get the
correct results, but this is not guaranteed.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Petr Kurtin” wrote in message news:xxxxx@ntdev…
> Why do you think InheritedFromUniqueProcessId is not always parent id?
>
> InheritedFromUniqueProcessId is NULL only for system process, otherwise it
> should be valid
> of course, dont call NtQueryInformationProcess but
> ZwQueryInformationProcess
>
> Petr Kurtin
>
>
> “Don Burn” wrote in message news:xxxxx@ntdev…
>> Of course you should realize that InheritedFromUniqueProcessId does not
>> have to be the parent. This is controllable from the NtCreateProcess
>> call, and can be something other than parent, or not valid at all.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Remove StopSpam from the email to reply
>>
>>
>>
>> “Petr Kurtin” wrote in message news:xxxxx@ntdev…
>>> call NtQueryInformationProcess with using ProcessBasicInfo
>>> it returns parent id in
>>> PROCESS_BASIC_INFORMATION::InheritedFromUniqueProcessId
>>> structure and function prototype is defined in ntifs.h
>>>
>>> Petr Kurtin
>>>
>>> “macro” wrote in message news:xxxxx@ntdev…
>>>> In my project,i should get the parent pid about the current process.But
>>>> the PsGetCurrentProcessId() olny get the current process id,so how to
>>>> get the parent process id from the EPROCESS struck?Thanks a lot.
>>>>
>>>
>>>
>>
>>
>>
>
>
Other problem is parent process may be already exit and its PID reused by other process.
When I needed PPID once, I used PsSetCreateProcessNotifyRoutine() and kept database of interesting PIDs + PPIDs. Notify routine is also called on process exit so PPIDs can be marked invalid.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Don Burn[SMTP:xxxxx@acm.org]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, April 19, 2006 8:24 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] How to get Parent Pid from Kernel Driver?Well, since you can call it with different parameters and the
ZwCreateProcess code handles this, making this assumption can get you in a
lot of potential trouble. I concur that for most cases you will get the
correct results, but this is not guaranteed.–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply“Petr Kurtin” wrote in message news:xxxxx@ntdev…
> > Why do you think InheritedFromUniqueProcessId is not always parent id?
> >
> > InheritedFromUniqueProcessId is NULL only for system process, otherwise it
> > should be valid
> > of course, dont call NtQueryInformationProcess but
> > ZwQueryInformationProcess
> >
> > Petr Kurtin
> >
> >
> > “Don Burn” wrote in message news:xxxxx@ntdev…
> >> Of course you should realize that InheritedFromUniqueProcessId does not
> >> have to be the parent. This is controllable from the NtCreateProcess
> >> call, and can be something other than parent, or not valid at all.
> >>
> >>
> >> –
> >> Don Burn (MVP, Windows DDK)
> >> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> >> Remove StopSpam from the email to reply
> >>
> >>
> >>
> >> “Petr Kurtin” wrote in message news:xxxxx@ntdev…
> >>> call NtQueryInformationProcess with using ProcessBasicInfo
> >>> it returns parent id in
> >>> PROCESS_BASIC_INFORMATION::InheritedFromUniqueProcessId
> >>> structure and function prototype is defined in ntifs.h
> >>>
> >>> Petr Kurtin
> >>>
> >>> “macro” wrote in message news:xxxxx@ntdev…
> >>>> In my project,i should get the parent pid about the current process.But
> >>>> the PsGetCurrentProcessId() olny get the current process id,so how to
> >>>> get the parent process id from the EPROCESS struck?Thanks a lot.
> >>>>
> >>>
> >>>
> >>
> >>
> >>
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
“Parent process” is basically meaningless in Win32. The
InheritedFromUniqueProcessId is not necessarily what you think it is – it
does NOT have the same semantics as POSIX “parent process ID”.
What are you trying to achieve? Access control? Job control? The
parent/child relationship is only loosely related to these. Do you just
want to display a process list to the user, similar to Task Manager?
I can’t think of a good reason to ever need this value in kernel-mode, but
I’m willing to entertain the idea that there is one. Can you elaborate?
– arlie
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of macro
Sent: Wednesday, April 19, 2006 3:13 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to get Parent Pid from Kernel Driver?
In my project,i should get the parent pid about the current process.But the
PsGetCurrentProcessId() olny get the current process id,so how to get the
parent process id from the EPROCESS struck?Thanks a lot.
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
The ability to trace parent/child relationships. They would be valid for
the instance of the new process’ creation. I wonder what practical use that
would be, but it could be done. I think more information would be obtained
by knowing the credentials given to the process, but whatever floats his
boat.
“Arlie Davis” wrote in message news:xxxxx@ntdev…
> “Parent process” is basically meaningless in Win32. The
> InheritedFromUniqueProcessId is not necessarily what you think it is – it
> does NOT have the same semantics as POSIX “parent process ID”.
>
> What are you trying to achieve? Access control? Job control? The
> parent/child relationship is only loosely related to these. Do you just
> want to display a process list to the user, similar to Task Manager?
>
> I can’t think of a good reason to ever need this value in kernel-mode, but
> I’m willing to entertain the idea that there is one. Can you elaborate?
>
> – arlie
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of macro
> Sent: Wednesday, April 19, 2006 3:13 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] How to get Parent Pid from Kernel Driver?
>
> In my project,i should get the parent pid about the current process.But
> the
> PsGetCurrentProcessId() olny get the current process id,so how to get the
> parent process id from the EPROCESS struck?Thanks a lot.
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
Don Burn 写é“:
Well, since you can call it with different parameters and the
ZwCreateProcess code handles this, making this assumption can get you in a
lot of potential trouble. I concur that for most cases you will get the
correct results, but this is not guaranteed.
Thank for you advise.Though in my first test,i used the approach as you
introduced.But unfortunately,in kernel ZwOpenProcess was often error on
open some process.And sometimes i got the wrong result.So i am very
puzzled about it.This is my test code:
NTSTATUS Status ;
PEPROCESS pEprocess=NULL;
PROCESS_BASIC_INFORMATION BasicInfo;
HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES objectAttributes;
CLIENT_ID clientId;
PCHAR szFullName;
InitializeObjectAttributes (&objectAttributes, 0, 0, 0 , 0);
clientId.UniqueProcess=PsGetCurrentProcessId();
clientId.UniqueThread=0;
Status=ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS,
&objectAttributes, &clientId);
if(!NT_SUCCESS(Status))
{
DbgPrint(“error -1”);
return 0;
}
Status = ZwQueryInformationProcess(
hProcess,//NtCurrentProcess(),
ProcessBasicInformation,
&BasicInfo,
sizeof(BasicInfo),
NULL);
if( !NT_SUCCESS(Status) )
{
DbgPrint(“HIDS-Error-02:Get Father Pid error–pid is %d”,hProcess);
return 0;
}
return BasicInfo.InheritedFromUniqueProcessId;