Process and Thread ID

OSR_Community_User · April 6, 2011, 12:28pm

hi

i want to know what process wants to open an file.
i am chacking process and thread ID in preCreate routine
why am i getting two different process id and thread id?
i know that there are two IRP_MJ_CREATE since some process opens a file,
But why do they have different id?

my code:

processId = FltGetRequestorProcessId(Data);
threadId = HandleToUlong( PsGetCurrentThreadId() );
DbgPrint(“Process id: %ld thread Id: %ld”,processId, threadId);

output:

Process id: 3028 thread Id: 2528
Process id: 3160 thread Id: 2520

OSR_Community_User · April 6, 2011, 1:28pm

If you are getting different process and thread IDs, the file is being opened by different processes and threads.

Some programs (e.g., Acrobat X) use two processes for doing their work and then use IPC between the two to communicate. In the case of Acrobat X, we’ve found that this is done for what seems to be security reasons (one process runs with a restricted token, while the other process runs with the user’s token.)

Other applications can use the same basic technique, albeit for different reasons.

Tony
OSR