IoIsSystemThread() in Windows 2000

  1. instruction IoIsSystemThread( PsGetCurrentThread() is always returning FALSE.
    Is there any other solution to detect if it is SYSTEM thread under Windows 2000 ?

There is a alternate function: PsIsSystemThread()

http://msdn.microsoft.com/en-us/library/windows/hardware/ff559945(v=vs.85).aspx

But internally its exactly as same as the IoIsSystemThread()

What exactly do you want to do and why do you need to make sure you are running the system thread?

Are you really sure this is broken ? I think that would have caused a lot of
software to break at the time.

At DriverEntry get the current process ID which is the system process. This
is safer than relying it to be 0 for which there is no guarantee. Instead of
IoIsSystemThread(PsGetCurrentThread) use PsGetCurrentProcessId and compare
that to the value that you took.

But normally you know in what context you are getting called so there should
be no need for this. What could justify the use of
IoIsSystemThread(PsGetCurrentThread) ? If this is for a dispatch handler to
check where the I/O originates from in the create path then there are better
ways to do that.

//Daniel

wrote in message news:xxxxx@ntfsd…

  1. instruction IoIsSystemThread( PsGetCurrentThread() is always returning
    FALSE.
    Is there any other solution to detect if it is SYSTEM thread under
    Windows 2000 ?

Kerem Guemruekcue,
PsIsSystemThread() is not for Windows 2000:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff559945(v=vs.85).aspx

Daniel Terhell,
IoIsSystemThread(PsGetCurrentThread) is TRUE under DriverEntry,

  1. Is IoIsSystemThread() supported under Windows 2000 ?
    http://msdn.microsoft.com/en-us/library/windows/hardware/ff548455(v=vs.85).aspx

  2. Under Windows 2000, Create pre-operation, instruction IoIsSystemThread(PsGetCurrentThread)
    is always FALSE but under Windows XP and above is differrent.

Currenlty, I am linking its libraries using WDK 7.1 —>C:\WinDDK\7600.16385.1\lib\wnet
for Windows 2000, I am suspecting this is not correct.

Please advise.

>IoIsSystemThread(PsGetCurrentThread) is TRUE under DriverEntry,

If you mean it returns TRUE on Windows 2000 then that shows that it’s not
broken.

//Daniel

Daniel,
…but why IoIsSystemThread(PsGetCurrentThread() is always FALSE
under Create pre-operation under Windows 2000 ?

I am thinking to compile and link using Windows Server 2003 SP1 DDK libraries for Windows 2000. eg. under C:\WinDDK\3790.1830\lib\w2k\i386 to see if IoIsSystemThread(PsGetCurrentThread()
still functioning the same.

Is Windows Server 2003 SP1 DDK, the latest version of DDK available for compiling driver for Windows 2000 ?

Please advise.

Why would you expect it to be different? Pre-create will always be
called in the callers context and I would expect this to not be the
system process in most cases. It is possible that something changed in
post-2000 such that there are more calls from the system process for
opening files but I would say that on any OS it will almost always not
be the system process.

You did show that the API returns TRUE in DriverEntry thus the API is
not broken. To verify this, which someone already suggested, grab the
ProcessId via PsGetCurrentProcessId() in DriverEntry and stash it away.
Then compare this to the ProcessId in pre-create. If they match and the
API returns FALSE then it is broken but I doubt this will happen.

Pete

On 2/25/2013 1:44 AM, xxxxx@yahoo.com wrote:

Daniel,
…but why IoIsSystemThread(PsGetCurrentThread() is always FALSE
under Create pre-operation under Windows 2000 ?

I am thinking to compile and link using Windows Server 2003 SP1 DDK libraries for Windows 2000. eg. under C:\WinDDK\3790.1830\lib\w2k\i386 to see if IoIsSystemThread(PsGetCurrentThread()
still functioning the same.

Is Windows Server 2003 SP1 DDK, the latest version of DDK available for compiling driver for Windows 2000 ?

Please advise.


NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295