At the last plugfest Neal and I got into a discussion about how it is possible to know who the requester was in a create when its coming from within the “System” PID. I think I recall him saying something about the fact that the owner would be the current thread (or was it calling thread) if the last mode was in KernelMode. Unfortunately I have forgotten a critical piece of that conversation, and was hoping someone may be able to fill me in, and possibly point me to some documentation on how best to do this.
I know I can call IoGetRequestorProcessId() and then determine if its the “System” PID. I can call ExGetPreviousMode() to see if it the previous mode was KernelMode. But then what? Am I supposed to be probing the current thread (ie: KeGetCurrentThread), or is it supposed to be the last thread? How do I get the filename (and path) of the thread… if that was what Neal recommended.
Serves me right for not writing this down. Hopefully someone can point me in the right direction. Thanks.
–
Regards,
Dana Epp
[Blog: http://silverstr.ufies.org/blog/]