Irps remaining corresponding to terminated process

problem is

I am using filespy as the base code and doing modifications above that code.
Now i have registered a callback using *PsSetLoadImageNotifyRoutine . When
ever any process is* created in the system, this callbach gets called and i
made an entry of process id and process name in an hash maintained by me.
Now whenever any irp or fast io comes then using the *PsGetCurrentProcessId
*and resolving process id to process name using hash and used this process
name for logging. I remove the process id and process name entry fro the
hash when the process corresponding to pid terminate .For getting that
notification i have registered another callback using
*PsSetCreateProcessNotifyRoutine.
*Now the problem is suppose some process is terminated, i got this
notification and removed the entry from hash , There are still some irps
reminaing to be processed corresponding to this process. So for some irps i
donot get process name .

What i need to do for resolving this problem

Regards
Rohit

just shooting from the hip, but perhaps you should cleanup your hash in
irp_close? If the file is closed, there shouldn’t be anymore irp’s on it.
From skimming threw what you wrote, and not really thinking about it
too much, I’m thinking these extra irp’s your seeing are cleanup and
close; however, I don’t
know if those come before or after the pssetcreateprocess terminate
callback is invoked…

I don’t think you have much too worry about here…

just guessing though…

m

Rohit wrote:

problem is

I am using filespy as the base code and doing modifications above that
code. Now i have registered a callback using
*PsSetLoadImageNotifyRoutine . When ever any process is* created in
the system, this callbach gets called and i made an entry of process
id and process name in an hash maintained by me. Now whenever any irp
or fast io comes then using the *PsGetCurrentProcessId *and resolving
process id to process name using hash and used this process name for
logging. I remove the process id and process name entry fro the hash
when the process corresponding to pid terminate .For getting that
notification i have registered another callback using
*PsSetCreateProcessNotifyRoutine. *Now the problem is suppose some
process is terminated, i got this notification and removed the entry
from hash , There are still some irps reminaing to be processed
corresponding to this process. So for some irps i donot get process name .

What i need to do for resolving this problem

Regards
Rohit
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe send a
blank email to xxxxx@lists.osr.com

Wait for the process object itself to be signaled (at which point all of
the threads are terminated, which means all of the I/O has either been
canceled or abandoned.) You can do this by calling
KeWaitForSingleObject with the process object.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit
Sent: Friday, June 09, 2006 7:32 AM
To: ntfsd redirect
Subject: [ntfsd] Irps remaining corresponding to terminated process

problem is

I am using filespy as the base code and doing modifications above that
code. Now i have registered a callback using
PsSetLoadImageNotifyRoutine . When ever any process is created in the
system, this callbach gets called and i made an entry of process id and
process name in an hash maintained by me. Now whenever any irp or fast
io comes then using the PsGetCurrentProcessId and resolving process id
to process name using hash and used this process name for logging. I
remove the process id and process name entry fro the hash when the
process corresponding to pid terminate .For getting that notification i
have registered another callback using PsSetCreateProcessNotifyRoutine.
Now the problem is suppose some process is terminated, i got this
notification and removed the entry from hash , There are still some irps
reminaing to be processed corresponding to this process. So for some
irps i donot get process name .

What i need to do for resolving this problem

Regards
Rohit
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed
to ntfsd as: xxxxx@osr.com To unsubscribe send a blank email to
xxxxx@lists.osr.com

Tony,

When the PsSetCreateProcessNotifyRoutine terminate callback is called,
what all still exist at that point? Surly the FCB, but what about FO’s.
If a process object exist, then file objects should still exist? So
clean-up and close happen after the terminate callback is called?

As I stated when responding to the OP, I was “just shooting from the
hip”. How far off are my assumptions?

m

Tony Mason wrote:

Wait for the process object itself to be signaled (at which point all
of the threads are terminated, which means all of the I/O has either
been canceled or abandoned.) You can do this by calling
KeWaitForSingleObject with the process object.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com

---

*From:* xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] *On Behalf Of *Rohit
*Sent:* Friday, June 09, 2006 7:32 AM
*To:* ntfsd redirect
*Subject:* [ntfsd] Irps remaining corresponding to terminated process

problem is

I am using filespy as the base code and doing modifications above that
code. Now i have registered a callback using
*PsSetLoadImageNotifyRoutine . When ever any process is* created in
the system, this callbach gets called and i made an entry of process
id and process name in an hash maintained by me. Now whenever any irp
or fast io comes then using the *PsGetCurrentProcessId *and resolving
process id to process name using hash and used this process name for
logging. I remove the process id and process name entry fro the hash
when the process corresponding to pid terminate .For getting that
notification i have registered another callback using
*PsSetCreateProcessNotifyRoutine. *Now the problem is suppose some
process is terminated, i got this notification and removed the entry
from hash , There are still some irps reminaing to be processed
corresponding to this process. So for some irps i donot get process name .

What i need to do for resolving this problem

Regards
Rohit
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: xxxxx@osr.com To unsubscribe send a blank
email to xxxxx@lists.osr.com

---

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

> Now the problem is suppose some process is terminated,

i got this notification and removed the entry from hash ,
There are still some irps reminaing to be processed
corresponding to this process. So for some irps i donot get process name .

This phenomenon you are observing is due to handle table cleanup.
I guess all of your mysterious IRPs are IRP_MJ_CLEANUP
or IRP_MJ_CLOSE, right ?

I suggest keep the hash table entry for a given process ID when
a process ends. Actually it’s not necessary until the process ID
will be reused. Just remember that the process already ended
(I bet you will need to know this later) and let the hash entry be.

One more caveat is that your process ID of an already-terminated
process might be also reused for a thread, but I really think
it will not collide with anything.

L.

----- Original Message -----
From: Rohit
To: Windows File Systems Devs Interest List
Sent: Friday, June 09, 2006 1:32 PM
Subject: [ntfsd] Irps remaining corresponding to terminated process

problem is

I am using filespy as the base code and doing modifications above that code. Now i have registered a callback using PsSetLoadImageNotifyRoutine . When ever any process is created in the system, this callbach gets called and i made an entry of process id and process name in an hash maintained by me. Now whenever any irp or fast io comes then using the PsGetCurrentProcessId and resolving process id to process name using hash and used this process name for logging. I remove the process id and process name entry fro the hash when the process corresponding to pid terminate .For getting that notification i have registered another callback using PsSetCreateProcessNotifyRoutine. Now the problem is suppose some process is terminated, i got this notification and removed the entry from hash , There are still some irps reminaing to be processed corresponding to this process. So for some irps i donot get process name .

What i need to do for resolving this problem

Regards
Rohit
— Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@volny.cz To unsubscribe send a blank email to xxxxx@lists.osr.com

Thanks for the reply

Currently what i am doing to handle this situaltion is move the entry
(pid,process name) corresponding to terminated process at the head of the
free list(link list ). When ever a new process is created then i remove the
entry from the tail of this list.

When ever Irps comes for the terminated process then search for that pid in
this free list and fetch the process name corresponding to that if that
entry is not allocated to some newly created process.

Am i using the correct approach or is there any flaw in it.

Tony
Can you please tell me how to get the process object when the process has
terminated

Regards
Rohit

Matt,

I’d actually provided my response because I’ve never tried to key
anything off the process termination notification - and I honestly
didn’t want to get sucked into when that notification was being sent
(and if he’s seeing I/O AFTER that point, then it must be sent prior to
the last thread exit.)

I do know the semantics of a signaled process object (it’s the LAST
thing that the LAST thread does before it places itself on the thread
reaper list. Been that way since NT 3.1, in fact.) Hence, why I
suggested this as an alternative - I know how it works, and I know that
the only I/O after this point would have to come from abandoned IRPs.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of MM
Sent: Friday, June 09, 2006 8:31 AM
To: ntfsd redirect
Subject: Re: [ntfsd] Irps remaining corresponding to terminated process

Tony,

When the PsSetCreateProcessNotifyRoutine terminate callback is called,
what all still exist at that point? Surly the FCB, but what about FO’s.
If a process object exist, then file objects should still exist? So
clean-up and close happen after the terminate callback is called?

As I stated when responding to the OP, I was “just shooting from the
hip”. How far off are my assumptions?

m

Tony Mason wrote:

Wait for the process object itself to be signaled (at which point all
of the threads are terminated, which means all of the I/O has either
been canceled or abandoned.) You can do this by calling
KeWaitForSingleObject with the process object.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com

*From:* xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] *On Behalf Of *Rohit
*Sent:* Friday, June 09, 2006 7:32 AM
*To:* ntfsd redirect
*Subject:* [ntfsd] Irps remaining corresponding to terminated process

problem is

I am using filespy as the base code and doing modifications above that

code. Now i have registered a callback using
*PsSetLoadImageNotifyRoutine . When ever any process is* created in
the system, this callbach gets called and i made an entry of process
id and process name in an hash maintained by me. Now whenever any irp
or fast io comes then using the *PsGetCurrentProcessId *and resolving
process id to process name using hash and used this process name for
logging. I remove the process id and process name entry fro the hash
when the process corresponding to pid terminate .For getting that
notification i have registered another callback using
*PsSetCreateProcessNotifyRoutine. *Now the problem is suppose some
process is terminated, i got this notification and removed the entry
from hash , There are still some irps reminaing to be processed
corresponding to this process. So for some irps i donot get process
name .

What i need to do for resolving this problem

Regards
Rohit
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: xxxxx@osr.com To unsubscribe send a blank
email to xxxxx@lists.osr.com

---

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I’d been assuming you didn’t wait until the process terminated, but had
rather stored the process object long before that point. I’d probably
do it the first time I saw that process ID used, but you could also do
it with NtOpenProcess when you see the process creation event; the
latter is likely to be “clearer” on what you are doing, but the former
is lower overhead (since the information you need is extracted from a
couple of pointer dereferences.)

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit
Sent: Friday, June 09, 2006 9:45 AM
To: ntfsd redirect
Subject: Re:[ntfsd] Irps remaining corresponding to terminated process

Thanks for the reply

Currently what i am doing to handle this situaltion is move the entry
(pid,process name) corresponding to terminated process at the head of
the free list(link list ). When ever a new process is created then i
remove the entry from the tail of this list.

When ever Irps comes for the terminated process then search for that pid
in this free list and fetch the process name corresponding to that if
that entry is not allocated to some newly created process.

Am i using the correct approach or is there any flaw in it.

Tony
Can you please tell me how to get the process object when the process
has terminated

Regards
Rohit
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed
to ntfsd as: xxxxx@osr.com To unsubscribe send a blank email to
xxxxx@lists.osr.com

> Currently what i am doing to handle this situaltion is move the entry

(pid,process name) corresponding to terminated process at the head of the
free list(link list ). When ever a new process is created then i remove the
entry from the tail of this list.

When ever Irps comes for the terminated process then search for that pid in
this free list and fetch the process name corresponding to that if that
entry is not allocated to some newly created process.

You should lookup the PID table for MJ_CREATE only, and maintain the second,
file object table where entries are inserted on MJ_CREATE and removed on
MJ_CLOSE. This table entries can also have the process name/PID in them, since
it is known at MJ_CREATE time.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com