Hi!
I am implementing a disk filter driver. In this, i need to find out the process id for which a read/ write request has come.
I tried IoGetRequestorProcessId(…) but it mostly gives 0,1,2 or 3… I think its because these IRPs are formed for the requests issued by the file system driver or the cache manager…
In other words suppose an aplication is writing some data. It will be sent to the file system driver, which in turn will make a new IRP and send to the Disk driver…
How can i get the Process ID of the application??
I have disabled all Fast IO requests by implementing a small minifilter so that Cache Manager does not come into picture…
Now all requests go to the FS driver in IRP format, which in turn builds new IRPs for the original IRPs and send them to the Disk driver…
HOW CAN I GET THE REQUESTOR PROCESS ID IN MY DISK FILTER DRIVER??
It doesn’t matter if you disable Fast IOs. The main reason is that only the topmost drivers execute in a nonarbitrary thread context and all underlying drivers may get called in an arbitrary thread context (e.g. queue IRPs with STATUS_PENDING/IoMarkIrpPending). Hence when you call IoGetRequestorProcessId, it just returnes the process Id of current process in which your driver executes.
You can’t from a disk driver. There is no relationship between the IRP
generated by the user request and the paging IO that generates the IRPs seen
in the disk stack. They can come in an thread including system threads that
do not run in user mode. Some have done what you want by using both a file
system filter and a disk class filter. It involves a lot of bookkeeping and
you almost have to be a file system to know what data is being accessed by
each disk read. If you don’t know the disk layout how can you know that a
read from a NTFS partition is for the MFT entry or the data within the MFT
entry. Then also add in the data that resides outside the MFT you have to
track and life gets interesting. Sounds like about three man years of work
if NTFS stays stable and you can get access to OS source code.
wrote in message news:xxxxx@ntdev… > Hi! > I am implementing a disk filter driver. In this, i need to find out the > process id for which a read/ write request has come. > I tried IoGetRequestorProcessId(…) but it mostly gives 0,1,2 or 3… I > think its because these IRPs are formed for the requests issued by the > file system driver or the cache manager… > > In other words suppose an aplication is writing some data. It will be sent > to the file system driver, which in turn will make a new IRP and send to > the Disk driver… > How can i get the Process ID of the application?? > > I have disabled all Fast IO requests by implementing a small minifilter so > that Cache Manager does not come into picture… > Now all requests go to the FS driver in IRP format, which in turn builds > new IRPs for the original IRPs and send them to the Disk driver… > > HOW CAN I GET THE REQUESTOR PROCESS ID IN MY DISK FILTER DRIVER?? > > Thanks… > Ayush > >