Hi all,
I am working on minifilter Driver, I got the process name of the attached thread to IRP like that
proc=IoThreadToProcess(Data->Thread);
str = PsGetProcessImageFileName(proc);
But issue is that my application ShellExecute any file say “a.txt” but after this this file attched to the notepad and in that case i got name of process is “notepad” , but I want to get name of my process.
Let me know if anybody can tell solution for this how I can get my process name.
Thanks
You could try registering for a process create notification via
PsSetCreateProcessNotifyRoutine or PsSetCreateProcessNotifyRoutineEx.
You would then need to track this information accordingly.
Pete
On 3/2/2012 5:09 AM, xxxxx@yahoo.com wrote:
Hi all,
I am working on minifilter Driver, I got the process name of the attached thread to IRP like that
proc=IoThreadToProcess(Data->Thread);
str = PsGetProcessImageFileName(proc);But issue is that my application ShellExecute any file say “a.txt” but after this this file attched to the notepad and in that case i got name of process is “notepad” , but I want to get name of my process.
Let me know if anybody can tell solution for this how I can get my process name.
Thanks
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Perhaps you are confused. If you call ShellExecute on a file, that file
is opened by the target program selected by ShellExecute. By that time,
the Parent process is no longer relevant. So it is NotePad that owns the
handle to a.txt, and who called NotePad is no longer of any interest.
Now, if you want to control what files your process can call ShellExecute
on, that’s a different question. You have asked the classic “how do I
implement my solution” question, instead of the important “this is the
problem I want to solve” question. You have chosen an implementation
(minifilter) which may or may not be the correct solution, and you want to
implement a concept which is quite unnatural to Windows, the concept of
“parent process” (CreateProcess has a flag that lets you create a “process
group”; this was added so badly-written Unix programs could be more
readily ported, but this “solution” has caused more problems than it has
solved. I know. I’ve had to fix the resulting mess in two cases).
joe
Hi all,
I am working on minifilter Driver, I got the process name of the attached
thread to IRP like thatproc=IoThreadToProcess(Data->Thread);
str = PsGetProcessImageFileName(proc);But issue is that my application ShellExecute any file say “a.txt” but
after this this file attched to the notepad and in that case i got name of
process is “notepad” , but I want to get name of my process.Let me know if anybody can tell solution for this how I can get my
process name.Thanks
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer