This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to
whom this message was originally addressed. Any review, e-transmission
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you have received this e-mail in error
kindly delete this e-mail from your records. If it appears that this
mail has been forwarded to you without proper authority, please notify
us immediately at xxxxx@patni.com and delete this mail.
Check IRPs pending from any of the thread in this process.
~Sisimon
On 7/19/06, Smitha Chandran wrote: > > Hi, > > > > I have a driver running on 2K which monitors process creation. This has > been achieved using PsSetCreateProcessNotifyRoutine. > > I was looking at killing a process based on certain conditions. > > Methodology used for killing is as listed below:- > > Obtain handle to the process using ZwOpenProcess > > Kill the process using ZwTerminateProcess, whose input is the process > handle obtained from ZwOpenProcess. > > The problem that I am facing is that, > > Though the process gets terminated, the Task Manager still lists the > same… > > What should be exactly followed to kill the process in the driver. > > Regards, > > Smitha > > http://www.patni.com > World-Wide Partnerships. World-Class Solutions. > > > This e-mail message may contain proprietary, confidential or legally > privileged information for the sole use of the person or entity to whom this > message was originally addressed. Any review, e-transmission dissemination > or other use of or taking of any action in reliance upon this information by > persons or entities other than the intended recipient is prohibited. If you > have received this e-mail in error kindly delete this e-mail from your > records. If it appears that this mail has been forwarded to you without > proper authority, please notify us immediately at xxxxx@patni.com and > delete this mail. > > — > Questions? First check the IFS FAQ at > https://www.osronline.com/article.cfm?id=17 > > You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ > > To unsubscribe send a blank email to xxxxx@lists.osr.com >
– GCS d+ s: a- c++++ U> B+ L++>$ w++++$ W++(+++) PGP+N+ t PS+PE++ tv+(++) b+++ G+++ e++>(++++) h-- r Don’t know this? See http://www.geekcode.com/geek.html
One important question -are you sure that you call ZwClose() on handle that you pass to ZwTerminateProcess??? Process gets removed from the process list only after its reference count goes down to zero.
Don’t forget that your callback gets invoked in the context of system process that never terminates. Therefore, if you don’t call ZwClose(), process’s reference count will never get down to zero, so that, instead of terminating process, you just turn it into a “zombie”
Yes, ZwClose was indeed missing. Thanks.
Now for the problem…
The code to terminate the process still continues to exhibit the behaviour as mentioned before…ie it leaves a zombie in the task mgr…an observation here is that, no code below ZwTerminateProcess is not getting executed…which means ZwClose is not getting executed.
Actually, If i paste the code for killing theprocess in an IRP handler then it works fine…
My qn then is, the behaviour that i see is it because, the process that i want to terminate is not yet fully created…becoz my code lies in the callback for PsSetCreateProcessNotifyRoutine…
If this is indeed the reason, any clues on how to go ahead
Thanks Ray, that indeed was a helpful suggestion. It works when invoked on a system thread. But i get an alert message thrown by Windows. is there a way i can prevent this from happening