PsGetProcessImageFileName

NTFSD
1

Hi all,

in my filter driver, i would like to get the process name using PsGetProcessImageFileName. but it is not documented. can anyone tell me the pros and cons of using PsGetProcessImageFileName .

regards,
venugopal.d

2

IIRC this only returns the short name (without directory path), it is ANSI
and is limited to 8.3. These are the names you see in Task Manager.

PsGetProcessImageFileName just returns the EPROCESS field, which has all of
the above limitations.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> Hi all,
>
> in my filter driver, i would like to get the process name using
PsGetProcessImageFileName. but it is not documented. can anyone tell me the
pros and cons of using PsGetProcessImageFileName .
>
> regards,
> venugopal.d
>

3

There is an article in a fairly recent issue of the OSR Insider that
describes the general problem of process name. I haven’t read it, but
the chances are very small that it is not largely accurate and useful.
If you’re looking for information with a more philosophical bent,
consider searching the osronline archives, as this one is way up there
on the long thread list, and there is more than you could have ever
possibly wished to know.

mm

>> xxxxx@storagecraft.com 2007-05-10 07:27:57 >>>
IIRC this only returns the short name (without directory path), it is
ANSI
and is limited to 8.3. These are the names you see in Task Manager.

PsGetProcessImageFileName just returns the EPROCESS field, which
has all of
the above limitations.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> Hi all,
>
> in my filter driver, i would like to get the process name using
PsGetProcessImageFileName. but it is not documented. can anyone tell me
the
pros and cons of using PsGetProcessImageFileName .
>
> regards,
> venugopal.d
>


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

4

If you’re using it for anything other than casual information, it’s not good
enough – certainly not good enough for any kind of security or application
verification.

However, if you just want to include it in debug messages (as I do), then
you have to make sure it’s available in the running kernel. It’s used like
this:

// Declaration
typedef PCHAR (*GET_PROCESS_IMAGE_NAME) (PEPROCESS Process);
GET_PROCESS_IMAGE_NAME gGetProcessImageFileName;

// In DriverEntry or something
UNICODE_STRING sPsGetProcessImageFileName = RTL_CONSTANT_STRING(
L"PsGetProcessImageFileName" );
gGetProcessImageFileName = (GET_PROCESS_IMAGE_NAME)
MmGetSystemRoutineAddress( &sPsGetProcessImageFileName );

// To use it
if( NULL != gGetProcessImageFileName )
{
PCHAR pImageName = gGetProcessImageFileName( PsGetCurrentProcess() );
if( NULL != pImageName )
{
//… Simple image name in pImageName – up to 15 ASCII characters +
terminating null
}
}

HTH,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@patni.com
Sent: Thursday, May 10, 2007 7:21 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] PsGetProcessImageFileName

Hi all,

in my filter driver, i would like to get the process name using
PsGetProcessImageFileName. but it is not documented. can anyone tell me the
pros and cons of using PsGetProcessImageFileName .

regards,
venugopal.d

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

5

Some MS’s kernel mode software - like XP SP2’s firewall (ipnat.sys) which
can use the EXE pathnames in rules - uses proxying to user mode (ipnathlp.dll)
which calls the documented psapi!GetModuleFileNameEx to get this pathname.

In turn, psapi!GetModuleFileNameEx calls NtQueryInformationProcess to get
the PEB address of the target, and then ReadProcessMemory to read the PEB and
its accompanying structure of RTL_USER_PROCESS_PARAMETERS. The full pathname is
there.

I also think XP and later have the info code for NtQueryInformationProcess
to get the same, so, the full path is now kept in the kernel somewhere.

Another way is with hooking: hook NtCreateSection syscall in kmode, monitor
only SEC_IMAGE calls and thus maintain a map of SectionHandle -> FileObject.

Then also hook NtCreateProcess, take the section handle from its
parameters, do the map lookup and the send MJ_QUERY_INFORMATION down this file
object to get the pathname.

Unfortunately, you cannot get the EXE file object from EPROCESS or the
section object using documented ways.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

“Martin O’Brien” wrote in message
news:xxxxx@ntfsd…
> There is an article in a fairly recent issue of the OSR Insider that
> describes the general problem of process name. I haven’t read it, but
> the chances are very small that it is not largely accurate and useful.
> If you’re looking for information with a more philosophical bent,
> consider searching the osronline archives, as this one is way up there
> on the long thread list, and there is more than you could have ever
> possibly wished to know.
>
> mm
>
> >>> xxxxx@storagecraft.com 2007-05-10 07:27:57 >>>
> IIRC this only returns the short name (without directory path), it is
> ANSI
> and is limited to 8.3. These are the names you see in Task Manager.
>
> PsGetProcessImageFileName just returns the EPROCESS field, which
> has all of
> the above limitations.
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> wrote in message news:xxxxx@ntfsd…
> > Hi all,
> >
> > in my filter driver, i would like to get the process name using
> PsGetProcessImageFileName. but it is not documented. can anyone tell me
> the
> pros and cons of using PsGetProcessImageFileName .
> >
> > regards,
> > venugopal.d
> >
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@evitechnology.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

6

Hi all,
thanks for your prompt replies. i am looking into the possibilites given by you people. if i find some thing more, i will let you know.

regards,
venugopal.d

7

> In turn, psapi!GetModuleFileNameEx calls NtQueryInformationProcess to get

the PEB address of the target, and then ReadProcessMemory to read the PEB and
its accompanying structure of RTL_USER_PROCESS_PARAMETERS. The full pathname is
there.

This is how it works on W2K…

I also think XP and later have the info code for NtQueryInformationProcess to get the same,

Correct - this is how it works on XP and above (IIRC, infoclass is 0x1B)

Anton Bassov