PID from EPROCESS on Win2K

Okay…this may be a stupid question, but I have searched everywhere and
can’t find the answer.

How did people used to get a PID from an EPROCESS on Win2K? Is there a
sanctioned way of doing this, or do I just need to hack my own EPROCESS
struct together and use that?

I know about PsGetProcessId() on XP and later…this is Win2K only.

Thanks.

Bill M.

The only documented way I know is PsLookupProcessByProcessId, you will need
to pass the list of running PIDs and see which one matches your process.

/Daniel

“Bill McKenzie” wrote in message
news:xxxxx@ntfsd…
> Okay…this may be a stupid question, but I have searched everywhere and
> can’t find the answer.
>
> How did people used to get a PID from an EPROCESS on Win2K? Is there a
> sanctioned way of doing this, or do I just need to hack my own EPROCESS
> struct together and use that?
>
> I know about PsGetProcessId() on XP and later…this is Win2K only.
>
> Thanks.
>
> Bill M.
>
>

Excellent…well that is doable. Thanks a bunch!!

Bill M.

“Daniel Terhell” wrote in message
news:xxxxx@ntfsd…
> The only documented way I know is PsLookupProcessByProcessId, you will
> need to pass the list of running PIDs and see which one matches your
> process.
>
> /Daniel
>
>
> “Bill McKenzie” wrote in message
> news:xxxxx@ntfsd…
>> Okay…this may be a stupid question, but I have searched everywhere and
>> can’t find the answer.
>>
>> How did people used to get a PID from an EPROCESS on Win2K? Is there a
>> sanctioned way of doing this, or do I just need to hack my own EPROCESS
>> struct together and use that?
>>
>> I know about PsGetProcessId() on XP and later…this is Win2K only.
>>
>> Thanks.
>>
>> Bill M.
>>
>>
>
>
>

PsGetProcessId() is available on XP… otherwise you will have to build a
table of OS/offset for NT4 and W2K.

t.

On Tue, 3 Jul 2007, Bill McKenzie wrote:

Okay…this may be a stupid question, but I have searched everywhere and
can’t find the answer.

How did people used to get a PID from an EPROCESS on Win2K? Is there a
sanctioned way of doing this, or do I just need to hack my own EPROCESS
struct together and use that?

I know about PsGetProcessId() on XP and later…this is Win2K only.

Thanks.

Bill M.

---

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@openmars.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Actually though, is that doable in a sanctioned way? The method I was
thinking to get the PIDs is probably not valid either.

Bill M.

“Daniel Terhell” wrote in message
news:xxxxx@ntfsd…
> The only documented way I know is PsLookupProcessByProcessId, you will
> need to pass the list of running PIDs and see which one matches your
> process.
>
> /Daniel
>
>
> “Bill McKenzie” wrote in message
> news:xxxxx@ntfsd…
>> Okay…this may be a stupid question, but I have searched everywhere and
>> can’t find the answer.
>>
>> How did people used to get a PID from an EPROCESS on Win2K? Is there a
>> sanctioned way of doing this, or do I just need to hack my own EPROCESS
>> struct together and use that?
>>
>> I know about PsGetProcessId() on XP and later…this is Win2K only.
>>
>> Thanks.
>>
>> Bill M.
>>
>>
>
>
>

You should get them from user mode or otherwise use
ZwQuerySystemInformation. The other documented way is to use
PsSetCreateProcess routine and in there call PsGetCurrentProcess,
PsGetCurrentProcessId and maintain a list.

/Daniel

“Bill McKenzie” wrote in message
news:xxxxx@ntfsd…
> Actually though, is that doable in a sanctioned way? The method I was
> thinking to get the PIDs is probably not valid either.
>
> Bill M.
>
> “Daniel Terhell” wrote in message
> news:xxxxx@ntfsd…
>> The only documented way I know is PsLookupProcessByProcessId, you will
>> need to pass the list of running PIDs and see which one matches your
>> process.
>>
>> /Daniel
>>
>>
>> “Bill McKenzie” wrote in message
>> news:xxxxx@ntfsd…
>>> Okay…this may be a stupid question, but I have searched everywhere and
>>> can’t find the answer.
>>>
>>> How did people used to get a PID from an EPROCESS on Win2K? Is there a
>>> sanctioned way of doing this, or do I just need to hack my own EPROCESS
>>> struct together and use that?
>>>
>>> I know about PsGetProcessId() on XP and later…this is Win2K only.
>>>
>>> Thanks.
>>>
>>> Bill M.
>>>
>>>
>>
>>
>>
>
>
>

Short of a better suggestion, in this specific case, as you are
definitely limited to a known static set of targets (w2k, any service
packs you wish to support, and, potentially, checked v. free), I would
be tempted to just roll my own EPROCESS structure as you mentioned
originally to handle all those cases, which, given the amount of
EPROCESS you need, probably all boil down to a few cases, and maybe just
one. What Daniel suggested will certainly work. However, (1) going to
user mode is a pain in the ass and a lot of work just to get a process
id, and is also subject to someone killing your service/application; and
(2) the PsXXX approach doesn’t address the problem of processes that
exist before your driver is loaded, unless you plan on loading early and
special casing idle and system, but this is dicey. That the PsXXX
approach would be notifyd upon changes is very nice, and could be used
as well

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Tuesday, July 03, 2007 18:21
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] PID from EPROCESS on Win2K

You should get them from user mode or otherwise use
ZwQuerySystemInformation. The other documented way is to use
PsSetCreateProcess routine and in there call PsGetCurrentProcess,
PsGetCurrentProcessId and maintain a list.

/Daniel

“Bill McKenzie” wrote in message
news:xxxxx@ntfsd…
> Actually though, is that doable in a sanctioned way? The method I was

> thinking to get the PIDs is probably not valid either.
>
> Bill M.
>
> “Daniel Terhell” wrote in message
> news:xxxxx@ntfsd…
>> The only documented way I know is PsLookupProcessByProcessId, you
will
>> need to pass the list of running PIDs and see which one matches your
>> process.
>>
>> /Daniel
>>
>>
>> “Bill McKenzie” wrote in message
>> news:xxxxx@ntfsd…
>>> Okay…this may be a stupid question, but I have searched everywhere
and
>>> can’t find the answer.
>>>
>>> How did people used to get a PID from an EPROCESS on Win2K? Is
there a
>>> sanctioned way of doing this, or do I just need to hack my own
EPROCESS
>>> struct together and use that?
>>>
>>> I know about PsGetProcessId() on XP and later…this is Win2K only.
>>>
>>> Thanks.
>>>
>>> Bill M.
>>>
>>>
>>
>>
>>
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Thanks much Daniel!!

Bill M.

“Daniel Terhell” wrote in message
news:xxxxx@ntfsd…
> You should get them from user mode or otherwise use
> ZwQuerySystemInformation. The other documented way is to use
> PsSetCreateProcess routine and in there call PsGetCurrentProcess,
> PsGetCurrentProcessId and maintain a list.
>
> /Daniel
>
>
> “Bill McKenzie” wrote in message
> news:xxxxx@ntfsd…
>> Actually though, is that doable in a sanctioned way? The method I was
>> thinking to get the PIDs is probably not valid either.
>>
>> Bill M.
>>
>> “Daniel Terhell” wrote in message
>> news:xxxxx@ntfsd…
>>> The only documented way I know is PsLookupProcessByProcessId, you will
>>> need to pass the list of running PIDs and see which one matches your
>>> process.
>>>
>>> /Daniel
>>>
>>>
>>> “Bill McKenzie” wrote in message
>>> news:xxxxx@ntfsd…
>>>> Okay…this may be a stupid question, but I have searched everywhere
>>>> and can’t find the answer.
>>>>
>>>> How did people used to get a PID from an EPROCESS on Win2K? Is there a
>>>> sanctioned way of doing this, or do I just need to hack my own EPROCESS
>>>> struct together and use that?
>>>>
>>>> I know about PsGetProcessId() on XP and later…this is Win2K only.
>>>>
>>>> Thanks.
>>>>
>>>> Bill M.
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>

Yeah, it’s pretty much damned if you do…damned if you don’t here. I can
either use an undocumented stuct in a hackish manner, or at least one if not
several undocumented calls, or OMG setup a whole table of PIDs as processes
start (don’t think so).

Hmmmm…the fuzzy picture around buggy third party drivers is sure getting
clearer

Bill M.

“Martin O’Brien” wrote in message
news:xxxxx@ntfsd…
Short of a better suggestion, in this specific case, as you are
definitely limited to a known static set of targets (w2k, any service
packs you wish to support, and, potentially, checked v. free), I would
be tempted to just roll my own EPROCESS structure as you mentioned
originally to handle all those cases, which, given the amount of
EPROCESS you need, probably all boil down to a few cases, and maybe just
one. What Daniel suggested will certainly work. However, (1) going to
user mode is a pain in the ass and a lot of work just to get a process
id, and is also subject to someone killing your service/application; and
(2) the PsXXX approach doesn’t address the problem of processes that
exist before your driver is loaded, unless you plan on loading early and
special casing idle and system, but this is dicey. That the PsXXX
approach would be notifyd upon changes is very nice, and could be used
as well

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Tuesday, July 03, 2007 18:21
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] PID from EPROCESS on Win2K

You should get them from user mode or otherwise use
ZwQuerySystemInformation. The other documented way is to use
PsSetCreateProcess routine and in there call PsGetCurrentProcess,
PsGetCurrentProcessId and maintain a list.

/Daniel

“Bill McKenzie” wrote in message
news:xxxxx@ntfsd…
> Actually though, is that doable in a sanctioned way? The method I was

> thinking to get the PIDs is probably not valid either.
>
> Bill M.
>
> “Daniel Terhell” wrote in message
> news:xxxxx@ntfsd…
>> The only documented way I know is PsLookupProcessByProcessId, you
will
>> need to pass the list of running PIDs and see which one matches your
>> process.
>>
>> /Daniel
>>
>>
>> “Bill McKenzie” wrote in message
>> news:xxxxx@ntfsd…
>>> Okay…this may be a stupid question, but I have searched everywhere
and
>>> can’t find the answer.
>>>
>>> How did people used to get a PID from an EPROCESS on Win2K? Is
there a
>>> sanctioned way of doing this, or do I just need to hack my own
EPROCESS
>>> struct together and use that?
>>>
>>> I know about PsGetProcessId() on XP and later…this is Win2K only.
>>>
>>> Thanks.
>>>
>>> Bill M.
>>>
>>>
>>
>>
>>
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are totally right since many years all the world needs to convert PIDs
to processes and vice versa. Lots of drivers are registering a callback
function and all those maintain their own list of PIDs processes and
processnames and have at least one user mode service running to feed it
information they cannot obtain in kernel mode. There was a time that such
drivers needed always to remain loaded and there was a hardcoded limit of 8
of those routines in the system. All this misery while the PID offset is
just a few offset bytes away. It is one of the first field members, if
anybody is ever going to insert new members at the top of the EPROCESS
structure then there can be only one reason.

/Daniel

“Bill McKenzie” wrote in message
news:xxxxx@ntfsd…
> Yeah, it’s pretty much damned if you do…damned if you don’t here. I can
> either use an undocumented stuct in a hackish manner, or at least one if
> not several undocumented calls, or OMG setup a whole table of PIDs as
> processes start (don’t think so).
>
> Hmmmm…the fuzzy picture around buggy third party drivers is sure getting
> clearer
>
> Bill M.
>
>
> “Martin O’Brien” wrote in message
> news:xxxxx@ntfsd…
> Short of a better suggestion, in this specific case, as you are
> definitely limited to a known static set of targets (w2k, any service
> packs you wish to support, and, potentially, checked v. free), I would
> be tempted to just roll my own EPROCESS structure as you mentioned
> originally to handle all those cases, which, given the amount of
> EPROCESS you need, probably all boil down to a few cases, and maybe just
> one. What Daniel suggested will certainly work. However, (1) going to
> user mode is a pain in the ass and a lot of work just to get a process
> id, and is also subject to someone killing your service/application; and
> (2) the PsXXX approach doesn’t address the problem of processes that
> exist before your driver is loaded, unless you plan on loading early and
> special casing idle and system, but this is dicey. That the PsXXX
> approach would be notifyd upon changes is very nice, and could be used
> as well
>
> mm
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
> Sent: Tuesday, July 03, 2007 18:21
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] PID from EPROCESS on Win2K
>
> You should get them from user mode or otherwise use
> ZwQuerySystemInformation. The other documented way is to use
> PsSetCreateProcess routine and in there call PsGetCurrentProcess,
> PsGetCurrentProcessId and maintain a list.
>
> /Daniel
>
>
> “Bill McKenzie” wrote in message
> news:xxxxx@ntfsd…
>> Actually though, is that doable in a sanctioned way? The method I was
>
>> thinking to get the PIDs is probably not valid either.
>>
>> Bill M.
>>
>> “Daniel Terhell” wrote in message
>> news:xxxxx@ntfsd…
>>> The only documented way I know is PsLookupProcessByProcessId, you
> will
>>> need to pass the list of running PIDs and see which one matches your
>>> process.
>>>
>>> /Daniel
>>>
>>>
>>> “Bill McKenzie” wrote in message
>>> news:xxxxx@ntfsd…
>>>> Okay…this may be a stupid question, but I have searched everywhere
> and
>>>> can’t find the answer.
>>>>
>>>> How did people used to get a PID from an EPROCESS on Win2K? Is
> there a
>>>> sanctioned way of doing this, or do I just need to hack my own
> EPROCESS
>>>> struct together and use that?
>>>>
>>>> I know about PsGetProcessId() on XP and later…this is Win2K only.
>>>>
>>>> Thanks.
>>>>
>>>> Bill M.
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@evitechnology.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

> How did people used to get a PID from an EPROCESS on Win2K? Is there a

sanctioned way of doing this, or do I just need to hack my own EPROCESS
struct together and use that?

I would do it the following way, which is absolutely generic:

1. Pass a pointer to the target object (which, in this context, happens to be EPROCESS) to ObOpenObjectByPointer() in order to get a handle that I may subsequently use in system calls

2. Pass this handle to the target system service (in this context, to NtQueryInformationProcess()) and get all info I need

Anton Bassov

I can think of an easier way, but I was looking for “sanctioned” or legal
ways of doing this. There apparently aren’t any.

Thanks for all the help everyone!!

Bill M.

wrote in message news:xxxxx@ntfsd…
>> How did people used to get a PID from an EPROCESS on Win2K? Is there a
>> sanctioned way of doing this, or do I just need to hack my own EPROCESS
>> struct together and use that?
>
> I would do it the following way, which is absolutely generic:
>
> 1. Pass a pointer to the target object (which, in this context, happens to
> be EPROCESS) to ObOpenObjectByPointer() in order to get a handle that I
> may subsequently use in system calls
>
> 2. Pass this handle to the target system service (in this context, to
> NtQueryInformationProcess()) and get all info I need
>
>
>
> Anton Bassov
>
>

Bill

Like so many things which one would think should br simple as pie this one
is somthing of a blackhole …
well anyway in this space we are used to these things eh?

Best Wishes
Lyndon

PS: Hint - cheat

“Bill McKenzie” wrote in message
news:xxxxx@ntfsd…
>I can think of an easier way, but I was looking for “sanctioned” or legal
>ways of doing this. There apparently aren’t any.
>
> Thanks for all the help everyone!!
>
> Bill M.
>
> wrote in message news:xxxxx@ntfsd…
>>> How did people used to get a PID from an EPROCESS on Win2K? Is there a
>>> sanctioned way of doing this, or do I just need to hack my own EPROCESS
>>> struct together and use that?
>>
>> I would do it the following way, which is absolutely generic:
>>
>> 1. Pass a pointer to the target object (which, in this context, happens
>> to be EPROCESS) to ObOpenObjectByPointer() in order to get a handle that
>> I may subsequently use in system calls
>>
>> 2. Pass this handle to the target system service (in this context, to
>> NtQueryInformationProcess()) and get all info I need
>>
>>
>>
>> Anton Bassov
>>
>>
>
>
>

> I can think of an easier way…

Well, actually the way that I described is not that complex, is it? Of course there are “easier” ways - for example, the one that you have originally mentioned, i.e. getting the sought info right from EPROCESS structure. Indeed, it looks easier, but it is not - your code has to check OS version
(because offsets may be different), plus you must be ready to provide an update of your product at any moment (because even a minor system update may shatter your product into pieces)…

but I was looking for “sanctioned” or legal ways of doing this.

Please note that this way is fully “supported” - both ObOpenObjectByPointer() and NtQueryInformationProcess() are documented on MSDN (the latter is partly documented, although with a warning). In any case, this partial documentation covers infoclass that you need here.
The only reason why I mentioned this way is because it is generic - you can use it in similar situations, so that you can obtain much more than just PID, i.e something that you need on this particular occasion…

Anton Bassov

I was going to give the answer Anton gave, but now that things are clear, I just want to congratulate him. The Object manager took me out of trouble many times. Like a rule when you have a pointer to an undocumented structure and you want to obtain it’s name, attributes, etc. . . obtain a handle to it and Microsoft provides documented functions for almost every query like this which take parameter a handle.

ZwQueryInformationProcess

[ZwQueryInformationProcess may be altered or unavailable in future versions
of Windows. Applications should use the alternate functions listed in this
topic.]

And of course no applicable alternates are ever listed.

This is not exactly documented right? I know about the Zw functions…I
was just wondering if there was a legal, sanctioned, approved, correct,
blessed way of getting this info. There is not…so there are now a dozen or
so ways I can solve the problem. And, I can pick the method of my liking as
they are all illegal.

Thanks.

Bill M.

wrote in message news:xxxxx@ntfsd…
>I was going to give the answer Anton gave, but now that things are clear, I
>just want to congratulate him. The Object manager took me out of trouble
>many times. Like a rule when you have a pointer to an undocumented
>structure and you want to obtain it’s name, attributes, etc. . . obtain a
>handle to it and Microsoft provides documented functions for almost every
>query like this which take parameter a handle.
>

But totally static in your case. Just pick easy…

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bill McKenzie
Sent: Monday, July 09, 2007 17:26
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] PID from EPROCESS on Win2K

ZwQueryInformationProcess

[ZwQueryInformationProcess may be altered or unavailable in future
versions
of Windows. Applications should use the alternate functions listed in
this
topic.]

And of course no applicable alternates are ever listed.

This is not exactly documented right? I know about the Zw
functions…I
was just wondering if there was a legal, sanctioned, approved, correct,
blessed way of getting this info. There is not…so there are now a
dozen or
so ways I can solve the problem. And, I can pick the method of my
liking as
they are all illegal.

Thanks.

Bill M.

wrote in message news:xxxxx@ntfsd…
>I was going to give the answer Anton gave, but now that things are
clear, I
>just want to congratulate him. The Object manager took me out of
trouble
>many times. Like a rule when you have a pointer to an undocumented
>structure and you want to obtain it’s name, attributes, etc. . . obtain
a
>handle to it and Microsoft provides documented functions for almost
every
>query like this which take parameter a handle.
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com