How to identify process that is opening a file from within a mini-filter

NTFSD
1

Hi,

I’ve written a mini-filter that is able to detect file create/open and file deletes. I’ve written it to specifically detect these events in a specific directory for the “.jpg” file extension and the mini-filter seems to be working nicely. However, what I want to do now, is to identify the process that the event is originating from. For example, when a the mini-filter detects a file open, I’d like to obtain the name of the process that is opening the file. Is this possible? If so, can someone point me in the right direction? Lastly, is there a better way to do this type of thing? Maybe, using a WIN32 API.

Thanks!
James

2

The process ID is available in the IRP. Of course, without monitoring
process creation and destruction you can’t know what program was used to
create the process. When you see the IRP, the process will be alive, but if
you later send the PID to a user mode program, it may have changed by then.

wrote in message news:xxxxx@ntfsd…
> Hi,
>
> I’ve written a mini-filter that is able to detect file create/open and
> file deletes. I’ve written it to specifically detect these events in a
> specific directory for the “.jpg” file extension and the mini-filter seems
> to be working nicely. However, what I want to do now, is to identify the
> process that the event is originating from. For example, when a the
> mini-filter detects a file open, I’d like to obtain the name of the
> process that is opening the file. Is this possible? If so, can someone
> point me in the right direction? Lastly, is there a better way to do this
> type of thing? Maybe, using a WIN32 API.
>
> Thanks!
> James
>

3

Thanks *very* much for your reply. This is encouraging and I’ll take look more closely for the PID. For now, I think I’ll let my user mode app check for the existence of the PID, rather then implement process monitoring in my mini-filter.

Best Regards,
James

4

So I’ve spent some time looking at the different inputs to my callback routine for processing IRP_MJ_CREATE, and I’m not finding any reference to the originating PID. I suspect this may not be available in the mini-filter, but I’m so new to driver development, I really don’t know. Can you comment on this?

I’m capture my IRP_MJ_CREATE event like this:

FLT_POSTOP_CALLBACK_STATUS
ScannerPostCreate (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__in_opt PVOID CompletionContext,
__in FLT_POST_OPERATION_FLAGS Flags
)
{
PSCANNER_STREAM_HANDLE_CONTEXT scannerContext;
FLT_POSTOP_CALLBACK_STATUS returnStatus = FLT_POSTOP_FINISHED_PROCESSING;
PFLT_FILE_NAME_INFORMATION nameInfo;
NTSTATUS status;
BOOLEAN safeToOpen, scanFile;

UNREFERENCED_PARAMETER( CompletionContext );
UNREFERENCED_PARAMETER( Flags );

if ( (FILE_OPENED & Data->IoStatus.Information) == FILE_OPENED)
{
if (Data->RequestorMode == UserMode)
{
//
// Check if we are interested in this file.
//

status = FltGetFileNameInformation( Data,
FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo );

if (!NT_SUCCESS( status )) {

return FLT_POSTOP_FINISHED_PROCESSING;
}

FltParseFileNameInformation( nameInfo );

//
// Check if the extension matches the list of extensions we are interested in
//

if (RtlPrefixUnicodeString ( &TargetFolder, &nameInfo->ParentDir, TRUE ) == TRUE) {

scanFile = ScannerpCheckExtension( &nameInfo->Extension );

if (scanFile)
{
status = ScannerpSendFileNameInUserMode ( &nameInfo->Name, 3 );
}

}
//TODO : send file name to user app

FltReleaseFileNameInformation( nameInfo );
}
}
else if ( ( FILE_DELETE_ON_CLOSE & Data->IoStatus.Information) == FILE_DELETE_ON_CLOSE)
{
//
// Check if we are interested in this file.
//

status = FltGetFileNameInformation( Data,
FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo );

if (!NT_SUCCESS( status )) {

return FLT_POSTOP_FINISHED_PROCESSING;
}

FltParseFileNameInformation( nameInfo );

//
// Check if the extension matches the list of extensions we are interested in
//

if (RtlPrefixUnicodeString ( &TargetFolder, &nameInfo->ParentDir, TRUE ) == TRUE) {

scanFile = ScannerpCheckExtension( &nameInfo->Extension );

if (scanFile)
{
status = ScannerpSendFileNameInUserMode ( &nameInfo->Name, 1 );
}

}
//TODO : send file name to user app

FltReleaseFileNameInformation( nameInfo );
}

return FLT_POSTOP_FINISHED_PROCESSING;

}

5

I found a solution:

In the FLT_CALLBACK_DATA structure is a filed called “Thread” that provide the thread id of the originating thread. Then you can use the IoThreadToProcess() API to get the process id.

6

>IRP_MJ_CREATE, and I’m not finding any reference to the originating PID

IoGetRequestorProcessId


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

7

Or, in a minifilter, FltGetRequestorProcessId (http://msdn.microsoft.com/en-us/library/aa488593.aspx).

Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.

8

Perfect! This is just what I was looking for. Man, I really need to get familiar with all the API calls thar are available. I guess it’s just gonna take some time.

Thanks!
James

9

Be careful with process analyzing with following canceling operations.
It may be System too, if, for example, request has been originated from kernel system thread… :slight_smile:

Other, one of my drivers, for example, impersonates thread when working in system context and generates some IRPs… :slight_smile:

Other words, be careful with canceling!

Regards,
MG.