hi,
i am writing a small kernel module to monitor Windows processes. this
is for Windows 7, x64 editon.
could you please tell me how can i say if a certain process is running
in 64bit or 32bit mode, given the process ID?
i tried IsWow64Process(), but when i put #include <winbase.h>, which
is required for this function, the compiler reports a lot of errors
regarding winbase.h. so i suspect that IsWow64Process() is not for
kernel code.
thanks a lot,
Jun</winbase.h>
ZwQueryInformationProcess might work for you, but note the remark at the start of the MSDN article:
http://msdn.microsoft.com/en-us/library/ms687420(v=vs.85).aspx
Dejan.
Jun Koi wrote:
hi,
i am writing a small kernel module to monitor Windows processes. this
is for Windows 7, x64 editon.could you please tell me how can i say if a certain process is running
in 64bit or 32bit mode, given the process ID?i tried IsWow64Process(), but when i put #include <winbase.h>, which
> is required for this function, the compiler reports a lot of errors
> regarding winbase.h. so i suspect that IsWow64Process() is not for
> kernel code.
>
> thanks a lot,
> Jun
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.</winbase.h>
Not exactly given the process ID, like you are asking. But you can call
IoIs32BitProcess to find out about the process in whose context you are
currently running. If that is really not enough, if you are monitoring
processes, you could use a thread creation notification callback and
popuplate a lookup table there for later reference.
//Daniel
“Jun Koi” wrote in message news:xxxxx@ntdev…
> hi,
>
> i am writing a small kernel module to monitor Windows processes. this
> is for Windows 7, x64 editon.
>
> could you please tell me how can i say if a certain process is running
> in 64bit or 32bit mode, given the process ID?
>
> i tried IsWow64Process(), but when i put #include <winbase.h>, which
> is required for this function, the compiler reports a lot of errors
> regarding winbase.h. so i suspect that IsWow64Process() is not for
> kernel code.
>
> thanks a lot,
> Jun
></winbase.h>
No, that’s not correct.
IoIs32BitProcess takes a PIRP as an argument, and returns TRUE if the process that originated the IRP is a 32-bit process.
The function works in an arbitrary thread context and does not return results based on the current process context.
Peter
OSR
On 4/27/2011 8:37 AM, xxxxx@osr.com wrote:
No, that’s not correct.
IoIs32BitProcess takes a PIRP as an argument, and returns TRUE if the process that originated the IRP is a 32-bit process.
The function works in an arbitrary thread context and does not return results based on the current process context.
I think you can specify NULL for the Irp and it will interpret the
current context of the caller.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Mea culpa… you are indeed correct. Thank you for the correction, Mr. Scott.
My apologies, Mr. Terhell!
From MSDN:
“If the Irp parameter is NULL, and the caller is running in the context of a user-mode process, IoIs32bitProcess returns TRUE if this process is a 32-bit process.”
Peter
OSR