> why not getting the ProcessID and sending it to user mode and get
back again the full path with the help of user mode API’s…
Depends on how reliable you want this information to be.
As I wrote in one of my previous posts, I can make a program
who completely fakes this information and pretends it’s
C:\Windows\Explorer.exe.
If you get a way how to do it in the kernel, then it’s harder
to fake.
L.