OSR Developer Community

Process or Image Name

Scott_Noone_OSR May 6, 2011, 10:11am 21

Correct. On Win2K the PID was 8, ever since XP it’s been 4.

-scott

–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Bill Wandel” wrote in message news:xxxxx@ntdev…

The PID for System in Vista and higher is not 8. WIN7 is 4 and I am sure
that Vista is also 4.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@shcherbyna.com
Sent: Friday, May 06, 2011 6:37 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Process or Image Name

Ah, you are calling this from System context. System is a special beast, a
better way will be to check for System pid manually, i.e.:

if (SystemPid(hPid))
{
// copy into path SystemRoot\Sytem yourself
}
else
{
// for normal, i.e. real processes:
// use your code as you do to get process path
}

PIDs for System are wellknown, they are 4 in XP and 8 in Vista and higher.
You can use PsGetCurrentProcessId(…) to get “current process pid”.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Rossetoecioccolato May 6, 2011, 10:16am 22

A dangerous supposition if you ask me.

On 5/6/2011 10:12 AM, Scott Noone wrote:

Correct. On Win2K the PID was 8, ever since XP it’s been 4.
-scott

Scott_Noone_OSR May 6, 2011, 10:35am 23

“Ever since” and “forever will be” are two different things.

-scott

–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Rossetoecioccolato” wrote in message news:xxxxx@ntdev…

A dangerous supposition if you ask me.

On 5/6/2011 10:12 AM, Scott Noone wrote:

Correct. On Win2K the PID was 8, ever since XP it’s been 4.
-scott

Ken_Johnson May 6, 2011, 11:37am 24

Please do not write code that depends on the system process having any particular process ID. This is certainly not a guarantee we make.

S (Msft)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@shcherbyna.com
Sent: Friday, May 06, 2011 3:37 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Process or Image Name

Ah, you are calling this from System context. System is a special beast, a better way will be to check for System pid manually, i.e.:

if (SystemPid(hPid))
{
// copy into path SystemRoot\Sytem yourself } else { // for normal, i.e. real processes:
// use your code as you do to get process path }

PIDs for System are wellknown, they are 4 in XP and 8 in Vista and higher. You can use PsGetCurrentProcessId(…) to get “current process pid”.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Volodymyr_M_Shcherbyna-2 May 6, 2011, 11:42am 25

>>Please do not write code that depends on the system process having any particular process ID. This is certainly not a guarantee we make. - S (Msft) <<

What will be the recommended by MS solution? Call PsGetCurrentProcessId (…) in DriverEntry and assume this is the System pid?

Ken_Johnson May 6, 2011, 11:48am 26

Invoking PsGetProcessId on PsInitialSystemProcess would be one of many supported ways to get the system process ID that doesn’t involve relying on things that may well change out from under you.

Could you elaborate a little bit on why you need to do this, however? Some of the cases I have seen involving a desire to special case the system process ID would have been better suited for some other mechanism.

S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@shcherbyna.com
Sent: Friday, May 06, 2011 8:42 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Process or Image Name

>Please do not write code that depends on the system process having any particular process ID. This is certainly not a guarantee we make. - S (Msft) <<

What will be the recommended by MS solution? Call PsGetCurrentProcessId (…) in DriverEntry and assume this is the System pid?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Peter_Viscarola_OSR May 6, 2011, 12:28pm 27

That would be the mechanism I would use. DriverEntry is architecturally defined as running in the context of the system process.

Peter
OSR

Maxim_S_Shatskih May 12, 2011, 3:43pm 28

> So, you’re just trying random things? Did you even look at the

definition of the ImageFileName field? It’s not a UNICODE_STRING. It’s
not Unicode at all. It’s a plain, ordinary zero-terminated 8-bit string.

KdPrint((“Process name: %s\n”, ep->ImageFileName));

Yes, this is what Task Manager shows, at least in older Windows.

It is accessible via at least some ZwQueryInformationProcess call too.

In older Windows (pre-Vista? pre-7?) the only way to get the full EXE pathname was:

ZwQueryInformationProcess to get the PEB address
OpenProcess
ReadProcessMemory for RTL_USER_PROCESS_PARAMETERS (a companion to PEB)

This is how psapi!GetModuleFileNameEx worked in these Windows versions, and, BTW, ipnatsvc (the user-mode part of Windows Firewall) was using GetModuleFileNameEx to enforce pathname-based rules.

I think now there are some Zw or Ps calls to get this pathname.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com