Reference current process in the close path

Hi, All,

I have a FS filter driver in which I need to monitor the IRP_MJ_CLOSE.
When I decide that the file need further process, I have to get the user
SID. In order to do that, in some point I call ZwOpenProcessToken using
the follow code:

if( KeGetCurrentIrql() < DISPATCH_LEVEL)
{
Status=ZwOpenProcessToken(NtCurrentProcess(),TOKEN_READ,&TokenHandle);

}

In very rare situation, my driver got Access Violation inside
ZwOpenProcessToken. So my question is: is it safe to reference
the current process in file close path? If not, what’s the reason?
(process terminate before the close?) And how can I get the user
SID in close path?

Thanks a lot.

Chendong


Get free email and a permanent address at http://www.netaddress.com/?N=1


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hi,
I couldn’t find any info on ZwOpenThreadToken. Where is it ? DDK has nothing
to say on this.


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com