Hi,
I try to find all the open files of a user process by looking at eprocess structure,
but it seems to me that there is no such information of file object in eprocess.
VAD seems to be another data structure that I can use to track down all the open files.
Does anyone has any idea?
Thanks,
Wencheng
Wencheng,
The only way I can think of that would do this reliably is to look at
the object handle table for the process.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources Inc.
http://www.osr.com http:</http:>
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Wencheng Chai
Sent: Thursday, May 13, 2004 2:15 PM
To: ntfsd redirect
Subject: [ntfsd] process’s open files
Hi,
I try to find all the open files of a user process by looking at
eprocess structure,
but it seems to me that there is no such information of file
object in eprocess.
VAD seems to be another data structure that I can use to track
down all the open files.
Does anyone has any idea?
Thanks,
Wencheng
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Hi Tony,
I can not find the information of _HANDLE_TABLE, could you please shed some light on that
data structure? Does the table contain address of file objects?
Thanks,
Wencheng
From: xxxxx@lists.osr.com on behalf of Tony Mason
Sent: Thu 5/13/2004 11:32 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] process’s open files
Wencheng,
The only way I can think of that would do this reliably is to look at the object handle table for the process.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources Inc.
http://www.osr.com http:</http:>
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Wencheng Chai
Sent: Thursday, May 13, 2004 2:15 PM
To: ntfsd redirect
Subject: [ntfsd] process’s open files
Hi,
I try to find all the open files of a user process by looking at eprocess structure,
but it seems to me that there is no such information of file object in eprocess.
VAD seems to be another data structure that I can use to track down all the open files.
Does anyone has any idea?
Thanks,
Wencheng
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@authenex.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Wencheng,
I think you're moving down a rather murky path. Clearly, others have done this (witness Sysinternals and their open handle utilities) but I worry that they have used undocumented APIs or perhaps direct access to the data structures themselves.
The only thing I could see tangentially is the NtQueryInformationProcess call has support for a debug handle function, but I don't think that's quite what you are looking for.
Perhaps someone else has more insight into walking the process handle table in a safe (programmatic) fashion.
Sorry I can't help.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources Inc.
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Wencheng Chai
Sent: Thursday, May 13, 2004 2:45 PM
To: ntfsd redirect
Subject: RE: [ntfsd] process's open files
?
?????? Hi Tony,
?
?????? I can not find the information of _HANDLE_TABLE, could you please shed some light on that
?????? data structure??Does the table contain address of file objects?
?
?????? Thanks,
??????? Wencheng
?
From: xxxxx@lists.osr.com on behalf of Tony Mason
Sent: Thu 5/13/2004 11:32 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] process's open files
Wencheng,
?
The only way I can think of that would do this reliably is to look at the object handle table for the process.
?
Regards,
?
Tony
?
Tony Mason
Consulting Partner
OSR Open Systems Resources Inc.
http://www.osr.com
?
?
Questions? First check the IFS FAQ at The NT Insider:Windows NT Virtual Memory (Part I)
Questions? First check the IFS FAQ at The NT Insider:Windows NT Virtual Memory (Part I)
Questions? First check the IFS FAQ at The NT Insider:Windows NT Virtual Memory (Part I)
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Tony,
Thank you very much for you notes. I always think that it is the fun part of exploring a murky path 
Wencheng
From: xxxxx@lists.osr.com on behalf of Tony Mason
Sent: Thu 5/13/2004 12:38 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] process's open files
Wencheng,
I think you're moving down a rather murky path. Clearly, others have done this (witness Sysinternals and their open handle utilities) but I worry that they have used undocumented APIs or perhaps direct access to the data structures themselves.
The only thing I could see tangentially is the NtQueryInformationProcess call has support for a debug handle function, but I don't think that's quite what you are looking for.
Perhaps someone else has more insight into walking the process handle table in a safe (programmatic) fashion.
Sorry I can't help.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources Inc.
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Wencheng Chai
Sent: Thursday, May 13, 2004 2:45 PM
To: ntfsd redirect
Subject: RE: [ntfsd] process's open files
Hi Tony,
I can not find the information of _HANDLE_TABLE, could you please shed some light on that
data structure? Does the table contain address of file objects?
Thanks,
Wencheng
From: xxxxx@lists.osr.com on behalf of Tony Mason
Sent: Thu 5/13/2004 11:32 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] process's open files
Wencheng,
The only way I can think of that would do this reliably is to look at the object handle table for the process.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources Inc.
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Wencheng Chai
Sent: Thursday, May 13, 2004 2:15 PM
To: ntfsd redirect
Subject: [ntfsd] process's open files
Hi,
I try to find all the open files of a user process by looking at eprocess structure,
but it seems to me that there is no such information of file object in eprocess.
VAD seems to be another data structure that I can use to track down all the open files.
Does anyone has any idea?
Thanks,
Wencheng
Questions? First check the IFS FAQ at The NT Insider:Windows NT Virtual Memory (Part I)
Questions? First check the IFS FAQ at The NT Insider:Windows NT Virtual Memory (Part I)
Questions? First check the IFS FAQ at The NT Insider:Windows NT Virtual Memory (Part I)
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at The NT Insider:Windows NT Virtual Memory (Part I)
You are currently subscribed to ntfsd as: xxxxx@authenex.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
You should have a look at the gary nebbet book about the windows nt/200 native api methinks.
“Wencheng Chai” wrote in message news:xxxxx@ntfsd…
Hi,
I try to find all the open files of a user process by looking at eprocess structure,
but it seems to me that there is no such information of file object in eprocess.
VAD seems to be another data structure that I can use to track down all the open files.
Does anyone has any idea?
Thanks,
Wencheng
Will do, thank you very much for your help!
From: xxxxx@lists.osr.com on behalf of Lyndon J Clarke
Sent: Thu 5/13/2004 1:33 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] process’s open files
You should have a look at the gary nebbet book about the windows nt/200 native api methinks.
“Wencheng Chai” wrote in message news:xxxxx@ntfsd…
Hi,
I try to find all the open files of a user process by looking at eprocess structure,
but it seems to me that there is no such information of file object in eprocess.
VAD seems to be another data structure that I can use to track down all the open files.
Does anyone has any idea?
Thanks,
Wencheng
—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@authenex.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
> I try to find all the open files of a user process by looking at eprocess structure,
but it seems to me that there is no such information of file object in eprocess.
There IS such an information in the EPROCESS structure.
You may get the offset of handle table pointer by dissassembling some
kernel function.
But remember, the handle table offset within EPROCESS varies between
different Windows versions.
L.
Ladislav Zezula wrote:
There IS such an information in the EPROCESS structure.
You may get the offset of handle table pointer by dissassembling some
kernel function.
But remember, the handle table offset within EPROCESS varies between
different Windows versions.
Even if you could do this reliably (and I don’t think you can) it would
not give you all of the open files, only the open handles.
Consider:
fileHandle = CreateFile(…);
sectionHandle = CreateFileMapping(fileHandle, …);
CloseHandle(fileHandle);
view = MapViewOfFile(sectionHandle, …);
CloseHandle(sectionHandle);
At this point, the process still has the file open (because the file
object is referenced by the section object) and the section object open
(because the section object is referenced by the process VAD) but it
does not have any open handles referencing the file or the section.
If all you need is the open *handles*, the best way to get these from
kernel-mode is using ZwQuerySystemInformation( SystemHandleInformation )
API. This requires less “undocumented voodoo” than grovelling around in
the EPROCESS structure.
KM
P.S. I tried to send this earlier, and it never showed up on the list.
Many appologies if this is a duplicate…
There is actually a mechanism to turn on “file object” tracking (via the
object manager) but it is a huge performance hit (as in “nobody would
want to use this system” type performance hit).
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources Inc
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Keith Moore
Sent: Friday, May 14, 2004 12:15 PM
To: ntfsd redirect
Subject: Re:[ntfsd] process’s open files
Ladislav Zezula wrote:
There IS such an information in the EPROCESS structure.
You may get the offset of handle table pointer by dissassembling some
kernel function.
But remember, the handle table offset within EPROCESS varies between
different Windows versions.
Even if you could do this reliably (and I don’t think you can) it would
not give you all of the open files, only the open handles.
Consider:
fileHandle = CreateFile(…);
sectionHandle = CreateFileMapping(fileHandle, …);
CloseHandle(fileHandle);
view = MapViewOfFile(sectionHandle, …);
CloseHandle(sectionHandle);
At this point, the process still has the file open (because the file
object is referenced by the section object) and the section object open
(because the section object is referenced by the process VAD) but it
does not have any open handles referencing the file or the section.
If all you need is the open *handles*, the best way to get these from
kernel-mode is using ZwQuerySystemInformation( SystemHandleInformation )
API. This requires less “undocumented voodoo” than grovelling around in
the EPROCESS structure.
KM
P.S. I tried to send this earlier, and it never showed up on the list.
Many appologies if this is a duplicate…
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com