Knowing which driver is making a file request

At the last plugfest Neal and I got into a discussion about how it is possible to know who the requester was in a create when its coming from within the “System” PID. I think I recall him saying something about the fact that the owner would be the current thread (or was it calling thread) if the last mode was in KernelMode. Unfortunately I have forgotten a critical piece of that conversation, and was hoping someone may be able to fill me in, and possibly point me to some documentation on how best to do this.

I know I can call IoGetRequestorProcessId() and then determine if its the “System” PID. I can call ExGetPreviousMode() to see if it the previous mode was KernelMode. But then what? Am I supposed to be probing the current thread (ie: KeGetCurrentThread), or is it supposed to be the last thread? How do I get the filename (and path) of the thread… if that was what Neal recommended.

Serves me right for not writing this down. Hopefully someone can point me in the right direction. Thanks.


Regards,
Dana Epp
[Blog: http://silverstr.ufies.org/blog/]

I’m afraid you will not be able to get the driver name who initiated the
request.
Yes, you may find the thread and the process by examining
Irp->Tail.Overlay.OriginalThread, but in the case of a driver, the thread
may be
in arbitrary process.

Some information is stored in the stack frame, in the debugger, you may
pretty
well find which component has initiated the request.

L.