Process Pointer from Process Id

OSR_Community_User · January 16, 2003, 6:15pm

ZwOpenProcess (undocumented). See the Native API Reference book by Gary
Nebbett.

Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Galipeau
Sent: Thursday, January 16, 2003 2:04 PM
To: File Systems Developers
Subject: [ntfsd] Process Pointer from Process Id

How can I get the PEPROCESS from a Process Id?

I tried using ObReferenceObjectByHandle (which works on a Thread
Id(Handle) to get the thread context, but does not for the process id).

Thanks,
Ken

You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · January 17, 2003, 2:14pm

Hmm no, it DOES take a process ID as input:

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);

The ClientId parameter is a structure (defined in ntifs.h) that allows
you to specify a process ID to open. Once the function succeeds, call
ObReferenceObjectByHandle on the returned ProcessHandle to get at the
PEPROCESS.

Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Galipeau
Sent: Friday, January 17, 2003 7:48 AM
To: File Systems Developers
Subject: [ntfsd] RE: Process Pointer from Process Id

Thanks, but ZwOpenProcess returns a Process Id (Handle), it does not
take one as input.

Given that I already have a Process Id how can I get the PEPROCESS for
it?

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nicholas Ryan
Sent: Thursday, January 16, 2003 6:17 PM
To: File Systems Developers
Subject: [ntfsd] RE: Process Pointer from Process Id

ZwOpenProcess (undocumented). See the Native API Reference book by Gary
Nebbett.

Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Galipeau
Sent: Thursday, January 16, 2003 2:04 PM
To: File Systems Developers
Subject: [ntfsd] Process Pointer from Process Id

How can I get the PEPROCESS from a Process Id?

I tried using ObReferenceObjectByHandle (which works on a Thread
Id(Handle) to get the thread context, but does not for the process id).

Thanks,
Ken

You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · January 17, 2003, 3:17pm

You can try undocumented PsLookupProcessByProcessId fuction. It is easy to
find prototype using disassembler. It works at XP, I’m not sure about other
OS versions. ZwOpenProcess way is probably safer if you can afford it.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

Thanks, but ZwOpenProcess returns a Process Id (Handle), it does not take
one as input.

Given that I already have a Process Id how can I get the PEPROCESS for it?

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nicholas Ryan
Sent: Thursday, January 16, 2003 6:17 PM
To: File Systems Developers
Subject: [ntfsd] RE: Process Pointer from Process Id

ZwOpenProcess (undocumented). See the Native API Reference book by
Gary Nebbett.

Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Galipeau
Sent: Thursday, January 16, 2003 2:04 PM
To: File Systems Developers
Subject: [ntfsd] Process Pointer from Process Id

How can I get the PEPROCESS from a Process Id?

I tried using ObReferenceObjectByHandle (which works on a
Thread Id(Handle) to get the thread context, but does not for the process
id).

Thanks,
Ken

You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to
xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: michal.vodicka@st.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

From: xxxxx@legato.com[SMTP:xxxxx@legato.com]
Reply To: xxxxx@lists.osr.com
Sent: Friday, January 17, 2003 4:48 PM
To: xxxxx@lists.osr.com
Subject: [ntfsd] RE: Process Pointer from Process Id

<<message: microsoft exchange message>>
>
></message:>

OSR_Community_User · January 17, 2003, 6:12pm

Ken,

No surprise there - your buffers are probably located in kernel mode, while
your “previous mode” when you called NtOpenProcess was most likely “user
mode”. So they failed in a parameter check, since user processes should not
be passing in kernel buffers. When you use ZwOpenProcess you trap back into
the kernel and set the “previous mode” to “kernel mode”.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com http:

-----Original Message-----
From: Ken Galipeau [mailto:xxxxx@legato.com]
Sent: Friday, January 17, 2003 5:56 PM
To: File Systems Developers
Subject: [ntfsd] RE: Process Pointer from Process Id

I was getting process id confused with process handle and thought they were
the same.

It is interesting that ZwOpenProcess works but NtOpenProcess (Someone else
suggested it) does NOT. It always returns STATUS_ACCESS_VIOLATION.

Thanks,

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nicholas Ryan
Sent: Friday, January 17, 2003 2:17 PM
To: File Systems Developers
Subject: [ntfsd] RE: Process Pointer from Process Id

Hmm no, it DOES take a process ID as input:

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);

The ClientId parameter is a structure (defined in ntifs.h) that allows you
to specify a process ID to open. Once the function succeeds, call
ObReferenceObjectByHandle on the returned ProcessHandle to get at the
PEPROCESS.

- Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Galipeau
Sent: Friday, January 17, 2003 7:48 AM
To: File Systems Developers
Subject: [ntfsd] RE: Process Pointer from Process Id

Thanks, but ZwOpenProcess returns a Process Id (Handle), it does not take
one as input.

Given that I already have a Process Id how can I get the PEPROCESS for it?

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nicholas Ryan
Sent: Thursday, January 16, 2003 6:17 PM
To: File Systems Developers
Subject: [ntfsd] RE: Process Pointer from Process Id

ZwOpenProcess (undocumented). See the Native API Reference book by Gary
Nebbett.

- Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Galipeau
Sent: Thursday, January 16, 2003 2:04 PM
To: File Systems Developers
Subject: [ntfsd] Process Pointer from Process Id

How can I get the PEPROCESS from a Process Id?

I tried using ObReferenceObjectByHandle (which works on a Thread Id(Handle)
to get the thread context, but does not for the process id).

Thanks,

Ken

—
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com</http:>

OSR_Community_User · January 17, 2003, 6:27pm

I guess this is expected behavior. NtOpenProcess expects user mode allocated
buffer and hence none of Nt calls would work in kernel mode. Though there is
workaround for it. You can allocate user mode memory in kernel mode and make
use of all Nt calls,

-----Original Message-----
From: Ken Galipeau [mailto:xxxxx@legato.com]
Sent: Friday, January 17, 2003 2:56 PM
To: File Systems Developers
Subject: [ntfsd] RE: Process Pointer from Process Id

I was getting process id confused with process handle and thought they were
the same.

It is interesting that ZwOpenProcess works but NtOpenProcess (Someone else
suggested it) does NOT. It always returns STATUS_ACCESS_VIOLATION.

Thanks,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nicholas Ryan
Sent: Friday, January 17, 2003 2:17 PM
To: File Systems Developers
Subject: [ntfsd] RE: Process Pointer from Process Id

Hmm no, it DOES take a process ID as input:

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);

The ClientId parameter is a structure (defined in ntifs.h) that allows you
to specify a process ID to open. Once the function succeeds, call
ObReferenceObjectByHandle on the returned ProcessHandle to get at the
PEPROCESS.

Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Galipeau
Sent: Friday, January 17, 2003 7:48 AM
To: File Systems Developers
Subject: [ntfsd] RE: Process Pointer from Process Id

Thanks, but ZwOpenProcess returns a Process Id (Handle), it does not take
one as input.

Given that I already have a Process Id how can I get the PEPROCESS for it?

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nicholas Ryan
Sent: Thursday, January 16, 2003 6:17 PM
To: File Systems Developers
Subject: [ntfsd] RE: Process Pointer from Process Id

ZwOpenProcess (undocumented). See the Native API Reference book by Gary
Nebbett.

Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Galipeau
Sent: Thursday, January 16, 2003 2:04 PM
To: File Systems Developers
Subject: [ntfsd] Process Pointer from Process Id

How can I get the PEPROCESS from a Process Id?

I tried using ObReferenceObjectByHandle (which works on a Thread Id(Handle)
to get the thread context, but does not for the process id).

Thanks,
Ken

You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Alexey_Logachyov · January 19, 2003, 5:40am

MessageTry using PsLookupProcessByProcessId routint. It works in most of the
cases. Here's the proto:

NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(
IN PVOID ProcessId,
OUT PEPROCESS *Process
);

----- Original Message -----
From: Ken Galipeau
To: File Systems Developers
Sent: Friday, January 17, 2003 12:03 AM
Subject: [ntfsd] Process Pointer from Process Id

How can I get the PEPROCESS from a Process Id?

I tried using ObReferenceObjectByHandle (which works on a Thread Id(Handle)
to get the thread context, but does not for the process id).

Thanks,
Ken

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · January 20, 2003, 7:14pm

Can I ask what you mean by "Most Cases"?
Thanks,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alexey Logachyov
Sent: Sunday, January 19, 2003 5:40 AM
To: File Systems Developers
Subject: [ntfsd] Re: Process Pointer from Process Id

MessageTry using PsLookupProcessByProcessId routint. It works in most of the
cases. Here's the proto:

NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(
IN PVOID ProcessId,
OUT PEPROCESS *Process
);

----- Original Message -----
From: Ken Galipeau
To: File Systems Developers
Sent: Friday, January 17, 2003 12:03 AM
Subject: [ntfsd] Process Pointer from Process Id

How can I get the PEPROCESS from a Process Id?

I tried using ObReferenceObjectByHandle (which works on a Thread Id(Handle)
to get the thread context, but does not for the process id).

Thanks,
Ken

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Alexey_Logachyov · January 21, 2003, 2:57am

If you setup notification routine with PsSetCreateProcessNotifyRoutine, you
won’t be able to use PsLookupProcessByProcessId when the process is shutdown
(i.e. when Create is FALSE). Seems like the process is already removed from
internal tables by that time.

----- Original Message -----
From: “Ken Galipeau”
To: “File Systems Developers”
Sent: Tuesday, January 21, 2003 2:15 AM
Subject: [ntfsd] Re: Process Pointer from Process Id

> Can I ask what you mean by “Most Cases”?
> Thanks,
> Ken
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Alexey Logachyov
> Sent: Sunday, January 19, 2003 5:40 AM
> To: File Systems Developers
> Subject: [ntfsd] Re: Process Pointer from Process Id
>
>
> MessageTry using PsLookupProcessByProcessId routint. It works in most of
the
> cases. Here’s the proto:
>
> NTKERNELAPI
> NTSTATUS
> PsLookupProcessByProcessId(
> IN PVOID ProcessId,
> OUT PEPROCESS *Process
> );
>
>
>
> ----- Original Message -----
> From: Ken Galipeau
> To: File Systems Developers
> Sent: Friday, January 17, 2003 12:03 AM
> Subject: [ntfsd] Process Pointer from Process Id
>
>
> How can I get the PEPROCESS from a Process Id?
>
> I tried using ObReferenceObjectByHandle (which works on a Thread
Id(Handle)
> to get the thread context, but does not for the process id).
>
> Thanks,
> Ken
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@legato.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Alexey_Logachyov · January 21, 2003, 5:19am

Like Itai Shaham said in another posting, don’t forget to call
ObDereferenceObject on Process variable returned from
PsLookupProcessByProcessId when you don’t need it anymore. Otherwise process
object will not be released. This will cause system to run out of process
IDs. I watched this behaviour on Windows 2000 Server. System looks partially
hung because it cannot spawn any new process. However Windows 2000
Professional looked to cope somehow with this problem.

----- Original Message -----
From: “Alexey Logachyov”
To: “File Systems Developers”
Sent: Tuesday, January 21, 2003 10:00 AM
Subject: [ntfsd] Re: Process Pointer from Process Id

> If you setup notification routine with PsSetCreateProcessNotifyRoutine,
you
> won’t be able to use PsLookupProcessByProcessId when the process is
shutdown
> (i.e. when Create is FALSE). Seems like the process is already removed
from
> internal tables by that time.
>
>
> ----- Original Message -----
> From: “Ken Galipeau”
> To: “File Systems Developers”
> Sent: Tuesday, January 21, 2003 2:15 AM
> Subject: [ntfsd] Re: Process Pointer from Process Id
>
>
> > Can I ask what you mean by “Most Cases”?
> > Thanks,
> > Ken
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Alexey Logachyov
> > Sent: Sunday, January 19, 2003 5:40 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: Process Pointer from Process Id
> >
> >
> > MessageTry using PsLookupProcessByProcessId routint. It works in most of
> the
> > cases. Here’s the proto:
> >
> > NTKERNELAPI
> > NTSTATUS
> > PsLookupProcessByProcessId(
> > IN PVOID ProcessId,
> > OUT PEPROCESS *Process
> > );
> >
> >
> >
> > ----- Original Message -----
> > From: Ken Galipeau
> > To: File Systems Developers
> > Sent: Friday, January 17, 2003 12:03 AM
> > Subject: [ntfsd] Process Pointer from Process Id
> >
> >
> > How can I get the PEPROCESS from a Process Id?
> >
> > I tried using ObReferenceObjectByHandle (which works on a Thread
> Id(Handle)
> > to get the thread context, but does not for the process id).
> >
> > Thanks,
> > Ken
> > —
> > You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@legato.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

OSR_Community_User · January 21, 2003, 4:06pm

Hello,

First, I have to make clear that this function is undocumented and that
I do not recommend using it on serious and stable software. Second, here
is the function prototype:

NTKERNELAPI
NTSTATUS
NTAPI
PsLookupProcessByProcessId(IN ULONG ProcessId,
OUT PKPROCESS+ACo- Process)+ADs-

Best regards,

Albert Almeida

OSR_Community_User · January 21, 2003, 4:32pm

Through some testing I found that PsLookupProcessByProcessId does fail
inside a PsSetCreateProcessNotifyRoutine on NT4 and Win2k, but not XP, when
it is not a create. I also found that ZwOpenProcess behaves the same way,
failing in NT4 and Win2k but not XP.

Thanks for the tip about doing the Dereference!

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alexey Logachyov
Sent: Tuesday, January 21, 2003 5:23 AM
To: File Systems Developers
Subject: [ntfsd] Re: Process Pointer from Process Id

Like Itai Shaham said in another posting, don’t forget to call
ObDereferenceObject on Process variable returned from
PsLookupProcessByProcessId when you don’t need it anymore. Otherwise process
object will not be released. This will cause system to run out of process
IDs. I watched this behaviour on Windows 2000 Server. System looks partially
hung because it cannot spawn any new process. However Windows 2000
Professional looked to cope somehow with this problem.

----- Original Message -----
From: “Alexey Logachyov”
To: “File Systems Developers”
Sent: Tuesday, January 21, 2003 10:00 AM
Subject: [ntfsd] Re: Process Pointer from Process Id

> If you setup notification routine with
> PsSetCreateProcessNotifyRoutine,
you
> won’t be able to use PsLookupProcessByProcessId when the process is
shutdown
> (i.e. when Create is FALSE). Seems like the process is already removed
from
> internal tables by that time.
>
>
> ----- Original Message -----
> From: “Ken Galipeau”
> To: “File Systems Developers”
> Sent: Tuesday, January 21, 2003 2:15 AM
> Subject: [ntfsd] Re: Process Pointer from Process Id
>
>
> > Can I ask what you mean by “Most Cases”?
> > Thanks,
> > Ken
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Alexey
> > Logachyov
> > Sent: Sunday, January 19, 2003 5:40 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: Process Pointer from Process Id
> >
> >
> > MessageTry using PsLookupProcessByProcessId routint. It works in
> > most of
> the
> > cases. Here’s the proto:
> >
> > NTKERNELAPI
> > NTSTATUS
> > PsLookupProcessByProcessId(
> > IN PVOID ProcessId,
> > OUT PEPROCESS *Process
> > );
> >
> >
> >
> > ----- Original Message -----
> > From: Ken Galipeau
> > To: File Systems Developers
> > Sent: Friday, January 17, 2003 12:03 AM
> > Subject: [ntfsd] Process Pointer from Process Id
> >
> >
> > How can I get the PEPROCESS from a Process Id?
> >
> > I tried using ObReferenceObjectByHandle (which works on a Thread
> Id(Handle)
> > to get the thread context, but does not for the process id).
> >
> > Thanks,
> > Ken
> > —
> > You are currently subscribed to ntfsd as: xxxxx@vba.com.by To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@legato.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@vba.com.by To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Process Pointer from Process Id

Thanks, Ken

Thanks, Ken

Thanks, Ken

Thanks, Ken

Thanks, Ken

Thanks, Ken

Thanks,
Ken

Thanks,
Ken

Thanks,
Ken

Thanks,
Ken

Thanks,
Ken

Thanks,
Ken