Through previously the problem had discussed many times,but there wasn’t
a very clearly universal method to solve in multi OS.Through the
undocumented class(ProcessImageFileName) was provided in XP,in win2000
there wasn’t a very well method except the
PEB->ProcessParameters->imagePathName.So anyone have a good solution?
macro wrote:
Through previously the problem had discussed many times,but there wasn’t
a very clearly universal method to solve in multi OS.Through the
undocumented class(ProcessImageFileName)
PsProcessImageFileName is in w2k in one of the post sp4 updates. You can
use it if you can verify that the
needed updates are installed.
OR
You could use IoGetRequestorProcessId to get the PID from the IRP and
pass that to usermode. There, you can then use
OpenProcess, EnumProcessModules, and GetModuleBaseName OR
GetModuleFileNameEx.
Leave the PEB alone, that is hackery and you run a high risk of your
driver breaking.
m
**
was provided in XP,in win2000
there wasn’t a very well method except the
PEB->ProcessParameters->imagePathName.So anyone have a good solution?
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
MM 写é“:
macro wrote:
> Through previously the problem had discussed many times,but there wasn’t
> a very clearly universal method to solve in multi OS.Through the
> undocumented class(ProcessImageFileName)PsProcessImageFileName is in w2k in one of the post sp4 updates. You can
use it if you can verify that the
needed updates are installed.OR
You could use IoGetRequestorProcessId to get the PID from the IRP and
pass that to usermode. There, you can then use
OpenProcess, EnumProcessModules, and GetModuleBaseName OR
GetModuleFileNameEx.Leave the PEB alone, that is hackery and you run a high risk of your
driver breaking.m
**> was provided in XP,in win2000
> there wasn’t a very well method except the
> PEB->ProcessParameters->imagePathName.So anyone have a good solution?
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
I have tested the method too.But the function out the path wasn’t the
Full Path,only the process name.
Which method are you talking about? The PsProcessImageFileName just
returns a filename I think (like what you see in taskmanager); however
I’ve never used it because it’s undocumented. Try to stay away from that
stuff…
The usermode thing will give you a full path though…
m
macro wrote:
MM 写é“:
>
>
> macro wrote:
>
>> Through previously the problem had discussed many times,but there
>> wasn’t
>> a very clearly universal method to solve in multi OS.Through the
>> undocumented class(ProcessImageFileName)
>
>
> PsProcessImageFileName is in w2k in one of the post sp4 updates. You
> can use it if you can verify that the
> needed updates are installed.
>
> OR
>
> You could use IoGetRequestorProcessId to get the PID from the IRP and
> pass that to usermode. There, you can then use
> OpenProcess, EnumProcessModules, and GetModuleBaseName OR
> GetModuleFileNameEx.
>
> Leave the PEB alone, that is hackery and you run a high risk of your
> driver breaking.
>
> m
> **
>
>> was provided in XP,in win2000
>> there wasn’t a very well method except the
>> PEB->ProcessParameters->imagePathName.So anyone have a good solution?
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
I have tested the method too.But the function out the path wasn’t the
Full Path,only the process name.
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
You have two choices, use the PsSetCreateProcessNotifyRoutine and
PsSetLoadImageNotifyRoutine to build a table in your driver or call into
user space with the PID and get the path there.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“macro” wrote in message news:xxxxx@ntdev…
> Through previously the problem had discussed many times,but there wasn’t
> a very clearly universal method to solve in multi OS.Through the
> undocumented class(ProcessImageFileName) was provided in XP,in win2000
> there wasn’t a very well method except the
> PEB->ProcessParameters->imagePathName.So anyone have a good solution?
>
The “C vs C++” debate going on at the same time as the “how do I get the
process name” one? This has to be some sort of cruel joke…
PLEASE read the archives. This topic was covered on NTFSD two weeks ago.
-scott
–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com
“macro” wrote in message news:xxxxx@ntdev…
> Through previously the problem had discussed many times,but there wasn’t
> a very clearly universal method to solve in multi OS.Through the
> undocumented class(ProcessImageFileName) was provided in XP,in win2000
> there wasn’t a very well method except the
> PEB->ProcessParameters->imagePathName.So anyone have a good solution?
>
Hey Scott,
I have this driver, and sometimes it doesn’t work… It deadlocks the
system. Can you tell me why?
Just kidding!!! Don’t have a heart attack…
m
P.S. sorry for starting WW-IV (still, the guy shouldn’t be using
unsupported technologies and then posting to the list when his driver
doesn’t work).
Scott Noone wrote:
The “C vs C++” debate going on at the same time as the “how do I get the
process name” one? This has to be some sort of cruel joke…PLEASE read the archives. This topic was covered on NTFSD two weeks ago.
-scott
You are continuing WW-IV. Of course he can ask about how to use C++ in the
kernel. Perfectly legitimate question.
=====================
Mark Roddy DDK MVP
Windows 2003/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of MM
Sent: Tuesday, April 25, 2006 7:17 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] The problem:How to get current process
full image path?Hey Scott,
I have this driver, and sometimes it doesn’t work… It
deadlocks the system. Can you tell me why?
Just kidding!!! Don’t have a heart attack…
m
P.S. sorry for starting WW-IV (still, the guy shouldn’t be
using unsupported technologies and then posting to the list
when his driver doesn’t work).Scott Noone wrote:
>The “C vs C++” debate going on at the same time as the “how do I get
>the process name” one? This has to be some sort of cruel joke…
>
>PLEASE read the archives. This topic was covered on NTFSD
two weeks ago.
>
>-scott
>
>
>
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
Sorry, wasn’t trying to perpetuate the argument (was just trying to be a
smart-ass). I’ve actually had a change in opinion on using C++ in the
kernel over the
last day or two.
I still believe it should be avoided for the most part, however after
reading some of the expert post on the matter, I believe
it should only be used by people that fully understand the pitfalls and
consequences of doing so. Didn’t think the OP did.
Hope this topic dies off… Last I’ll speak of it…
m.
Mark Roddy wrote:
You are continuing WW-IV. Of course he can ask about how to use C++ in the
kernel. Perfectly legitimate question.=====================
Mark Roddy DDK MVP
Windows 2003/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of MM
>Sent: Tuesday, April 25, 2006 7:17 AM
>To: Windows System Software Devs Interest List
>Subject: Re: [ntdev] The problem:How to get current process
>full image path?
>
>Hey Scott,
>
>I have this driver, and sometimes it doesn’t work… It
>deadlocks the system. Can you tell me why?
>
>:-)
>
>Just kidding!!! Don’t have a heart attack…
>
>m
>
>P.S. sorry for starting WW-IV (still, the guy shouldn’t be
>using unsupported technologies and then posting to the list
>when his driver doesn’t work).
>
>Scott Noone wrote:
>
>
>
>>The “C vs C++” debate going on at the same time as the “how do I get
>>the process name” one? This has to be some sort of cruel joke…
>>
>>PLEASE read the archives. This topic was covered on NTFSD
>>
>>
>two weeks ago.
>
>
>>-scott
>>
>>
>>
>>
>>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>To unsubscribe, visit the List Server section of OSR Online
>at http://www.osronline.com/page.cfm?name=ListServer
>
>
>
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
MM 写é“:
Sorry, wasn’t trying to perpetuate the argument (was just trying to be a
smart-ass). I’ve actually had a change in opinion on using C++ in the
kernel over the
last day or two.I still believe it should be avoided for the most part, however after
reading some of the expert post on the matter, I believe
it should only be used by people that fully understand the pitfalls and
consequences of doing so. Didn’t think the OP did.Hope this topic dies off… Last I’ll speak of it…
m.
Mark Roddy wrote:
> You are continuing WW-IV. Of course he can ask about how to use C++ in
> the
> kernel. Perfectly legitimate question.
> =====================
> Mark Roddy DDK MVP
> Windows 2003/XP/2000 Consulting Hollis Technology Solutions 603-321-1032
> www.hollistech.com
>
>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of MM
>> Sent: Tuesday, April 25, 2006 7:17 AM
>> To: Windows System Software Devs Interest List
>> Subject: Re: [ntdev] The problem:How to get current process full
>> image path?
>>
>> Hey Scott,
>>
>> I have this driver, and sometimes it doesn’t work… It deadlocks
>> the system. Can you tell me why?
>>
>>
>>
>> Just kidding!!! Don’t have a heart attack…
>>
>> m
>>
>> P.S. sorry for starting WW-IV (still, the guy shouldn’t be using
>> unsupported technologies and then posting to the list when his driver
>> doesn’t work).
>>
>> Scott Noone wrote:
>>
>>
>>> The “C vs C++” debate going on at the same time as the “how do I get
>>> the process name” one? This has to be some sort of cruel joke…
>>>
>>> PLEASE read the archives. This topic was covered on NTFSD
>> two weeks ago.
>>
>>> -scott
>>>
>>>
>>>
>>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
I think the Don’s method will be more universal…
> undocumented class(ProcessImageFileName) was provided in XP
I think it is 8.3 ANSI file name (as Task Manager shows) and not full path
name.
there wasn’t a very well method except the
PEB->ProcessParameters->imagePathName.
I don’t think there are any other ways. PSAPI’s GetModuleFileNameEx uses this,
and Windows Firewall also uses this (it relies on PSAPI).
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> You have two choices, use the PsSetCreateProcessNotifyRoutine and
PsSetLoadImageNotifyRoutine to build a table in your driver or call into
user space with the PID and get the path there.
Yes, this is a best way - nothing undocumented at least.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
If he is wanting this info solely in the kernel enviro, this is the
best. However for this to work right this needs to be a boot start driver.
I do have a gripe with PsSetLoadImageNotifyRoutine - it returns the true
path for the first instance(primary image) it processes, then it returns
in it’s
pathname a bunch of symbolic links for dependencies.The amount of
processing required here to get dos paths is a little more than what it
cost to have
userland do this work with a PID. Or perhaps there is a fundamental
concept with this functions callback that I’ve yet to learn.
Don or Max, is there a great way to get the DOS path for dependency
files this function outputs (other than ZW routines).
m.
Maxim S. Shatskih wrote:
>You have two choices, use the PsSetCreateProcessNotifyRoutine and
>PsSetLoadImageNotifyRoutine to build a table in your driver or call into
>user space with the PID and get the path there.
>
>Yes, this is a best way - nothing undocumented at least.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> Don or Max, is there a great way to get the DOS path for dependency
files this function outputs (other than ZW routines).
I would suggest to never use any drive letters in the kernel side of the
project.
Use \?\Volume{guid} instead.
Reasons:
- the same volume can have several mount points, and the EXE can be launched
from any. My way will handle the EXE launched from the mount point the same way
as EXE launched from the drive letter. Other ways will not. - just more architecturally correct and easier to implement.
So, all IOCTL interfaces to the driver (to manage the permission rules table
and such) should use the volume GUID names. The UI - or the driver IOCTL
wrapper DLL - must convert any drive letters to GUID names.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Meanwhile over in ntfsd today we have …
* i cant see the reads/writes (memory mapped file)
* i cant get the filename after create
* how do i detect copy
…
“Scott Noone” wrote in message news:xxxxx@ntdev…
> The “C vs C++” debate going on at the same time as the “how do I get the
> process name” one? This has to be some sort of cruel joke…
>
> PLEASE read the archives. This topic was covered on NTFSD two weeks ago.
>
> -scott
>
> –
> Scott Noone
> Software Engineer
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
> “macro” wrote in message news:xxxxx@ntdev…
>> Through previously the problem had discussed many times,but there wasn’t
>> a very clearly universal method to solve in multi OS.Through the
>> undocumented class(ProcessImageFileName) was provided in XP,in win2000
>> there wasn’t a very well method except the
>> PEB->ProcessParameters->imagePathName.So anyone have a good solution?
>>
>
>
>
Another perfect month!
-scott
–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Lyndon J. Clarke” wrote in message
news:xxxxx@ntdev…
> Meanwhile over in ntfsd today we have …
>
> * i cant see the reads/writes (memory mapped file)
> * i cant get the filename after create
> * how do i detect copy
>
> …
>
> “Scott Noone” wrote in message news:xxxxx@ntdev…
>> The “C vs C++” debate going on at the same time as the “how do I get the
>> process name” one? This has to be some sort of cruel joke…
>>
>> PLEASE read the archives. This topic was covered on NTFSD two weeks ago.
>>
>> -scott
>>
>> –
>> Scott Noone
>> Software Engineer
>> OSR Open Systems Resources, Inc.
>> http://www.osronline.com
>>
>> “macro” wrote in message news:xxxxx@ntdev…
>>> Through previously the problem had discussed many times,but there wasn’t
>>> a very clearly universal method to solve in multi OS.Through the
>>> undocumented class(ProcessImageFileName) was provided in XP,in win2000
>>> there wasn’t a very well method except the
>>> PEB->ProcessParameters->imagePathName.So anyone have a good solution?
>>>
>>
>>
>>
>
>
>
What about automatic solution? Bayesian filtering is very successful to filter spam. The same technique could be used at listserv to detect these annoying mails and instead of forwarding them to the list it’d reply “RTFM”, “read FAQ” or “search archives” to the sender. Filter would be taught by list slaves the same way as spam filter – they’d simply mark such messages and filter would learn.
BTW, current C versus C++ debate was probably the first interesting and useful within past 10 years.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Scott Noone[SMTP:xxxxx@osr.com]
Reply To: Windows System Software Devs Interest List
Sent: Tuesday, April 25, 2006 7:44 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] The problem:How to get current process full image path?Another perfect month!
-scott
–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com“Lyndon J. Clarke” wrote in message
> news:xxxxx@ntdev…
> > Meanwhile over in ntfsd today we have …
> >
> > * i cant see the reads/writes (memory mapped file)
> > * i cant get the filename after create
> > * how do i detect copy
> >
> > …
> >
> > “Scott Noone” wrote in message news:xxxxx@ntdev…
> >> The “C vs C++” debate going on at the same time as the “how do I get the
> >> process name” one? This has to be some sort of cruel joke…
> >>
> >> PLEASE read the archives. This topic was covered on NTFSD two weeks ago.
> >>
> >> -scott
> >>
> >> –
> >> Scott Noone
> >> Software Engineer
> >> OSR Open Systems Resources, Inc.
> >> http://www.osronline.com
> >>
> >> “macro” wrote in message news:xxxxx@ntdev…
> >>> Through previously the problem had discussed many times,but there wasn’t
> >>> a very clearly universal method to solve in multi OS.Through the
> >>> undocumented class(ProcessImageFileName) was provided in XP,in win2000
> >>> there wasn’t a very well method except the
> >>> PEB->ProcessParameters->imagePathName.So anyone have a good solution?
> >>>
> >>
> >>
> >>
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
Personally I think that the tried and true method public derision is the way
to go. However, if anyone wants to volunteer to be in charge of getting this
to work on our list server then feel free to mail me off list
Regards,
-scott
–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
What about automatic solution? Bayesian filtering is very successful to
filter spam. The same technique could be used at listserv to detect these
annoying mails and instead of forwarding them to the list it’d reply “RTFM”,
“read FAQ” or “search archives” to the sender. Filter would be taught by
list slaves the same way as spam filter – they’d simply mark such messages
and filter would learn.
BTW, current C versus C++ debate was probably the first interesting and
useful within past 10 years.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Scott Noone[SMTP:xxxxx@osr.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Tuesday, April 25, 2006 7:44 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] The problem:How to get current process full image
> path?
>
> Another perfect month!
>
> -scott
>
> –
> Scott Noone
> Software Engineer
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
> “Lyndon J. Clarke” wrote in message
> news:xxxxx@ntdev…
> > Meanwhile over in ntfsd today we have …
> >
> > * i cant see the reads/writes (memory mapped file)
> > * i cant get the filename after create
> > * how do i detect copy
> >
> > …
> >
> > “Scott Noone” wrote in message news:xxxxx@ntdev…
> >> The “C vs C++” debate going on at the same time as the “how do I get
> >> the
> >> process name” one? This has to be some sort of cruel joke…
> >>
> >> PLEASE read the archives. This topic was covered on NTFSD two weeks
> >> ago.
> >>
> >> -scott
> >>
> >> –
> >> Scott Noone
> >> Software Engineer
> >> OSR Open Systems Resources, Inc.
> >> http://www.osronline.com
> >>
> >> “macro” wrote in message news:xxxxx@ntdev…
> >>> Through previously the problem had discussed many times,but there
> >>> wasn’t
> >>> a very clearly universal method to solve in multi OS.Through the
> >>> undocumented class(ProcessImageFileName) was provided in XP,in win2000
> >>> there wasn’t a very well method except the
> >>> PEB->ProcessParameters->imagePathName.So anyone have a good solution?
> >>>
> >>
> >>
> >>
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
It works but I’m still surprised how many people are trying to answer the same stupid questions again and again.
Well, 5 years ago I’d try it but now I’m affraid I already entered the post-developer phase. Have ideas and need somebody to implement them 
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Scott Noone[SMTP:xxxxx@osr.com]
Reply To: Windows System Software Devs Interest List
Sent: Tuesday, April 25, 2006 8:50 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] The problem:How to get current process full image path?Personally I think that the tried and true method public derision is the way
to go. However, if anyone wants to volunteer to be in charge of getting this
to work on our list server then feel free to mail me off listRegards,
-scott
–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com“Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> What about automatic solution? Bayesian filtering is very successful to
> filter spam. The same technique could be used at listserv to detect these
> annoying mails and instead of forwarding them to the list it’d reply “RTFM”,
> “read FAQ” or “search archives” to the sender. Filter would be taught by
> list slaves the same way as spam filter – they’d simply mark such messages
> and filter would learn.
>
> BTW, current C versus C++ debate was probably the first interesting and
> useful within past 10 years.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Scott Noone[SMTP:xxxxx@osr.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Tuesday, April 25, 2006 7:44 PM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] The problem:How to get current process full image
> > path?
> >
> > Another perfect month!
> >
> > -scott
> >
> > –
> > Scott Noone
> > Software Engineer
> > OSR Open Systems Resources, Inc.
> > http://www.osronline.com
> >
> > “Lyndon J. Clarke” wrote in message
> > news:xxxxx@ntdev…
> > > Meanwhile over in ntfsd today we have …
> > >
> > > * i cant see the reads/writes (memory mapped file)
> > > * i cant get the filename after create
> > > * how do i detect copy
> > >
> > > …
> > >
> > > “Scott Noone” wrote in message news:xxxxx@ntdev…
> > >> The “C vs C++” debate going on at the same time as the “how do I get
> > >> the
> > >> process name” one? This has to be some sort of cruel joke…
> > >>
> > >> PLEASE read the archives. This topic was covered on NTFSD two weeks
> > >> ago.
> > >>
> > >> -scott
> > >>
> > >> –
> > >> Scott Noone
> > >> Software Engineer
> > >> OSR Open Systems Resources, Inc.
> > >> http://www.osronline.com
> > >>
> > >> “macro” wrote in message news:xxxxx@ntdev…
> > >>> Through previously the problem had discussed many times,but there
> > >>> wasn’t
> > >>> a very clearly universal method to solve in multi OS.Through the
> > >>> undocumented class(ProcessImageFileName) was provided in XP,in win2000
> > >>> there wasn’t a very well method except the
> > >>> PEB->ProcessParameters->imagePathName.So anyone have a good solution?
> > >>>
> > >>
> > >>
> > >>
> > >
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at > http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
Yes Max, I’m aware of that.
I wasn’t being clear, sorry… What I was getting at is if the OP needs
a full pathname (dos style I assume), the table
created from PsSetLoadImage… and PsSetCreateProcess… is kinda
hard to work with. The file name
returned from PsSetLoadImageNotify returns a full path for the base
image (like “\Device\HardDisk01\winnt\somefile.exe”).
That is easy to turn into a Dos name, in User OR Kernel land…
Then, the callbacks generated from somefile.exe loading it’s
dependencies are shown like “\SystemRoot\winnt\some.dll”,
“\Winnt\system32\some.OCX”, “\Program
Files\folder\subfolder\2ndloaded.dll”. These returned FileNames are a
pain to deal
with.
When I asked, “Don or Max, is there a great way to get the DOS paths for
dependency files” - I was referring to the situation
above. This is why I recommended he use IoGetRequestorProcessId in
conjunction with a helper service. Seems the overhead
of letting usermode convert the PID return from IoGetRequestorProcessId
is less overhead than parsing “\Winnt\system32\some.OCX” or
“\Program Files\folder\subfolder\2ndloaded.dll” and then calling ZwQuery
routines, then calling RtlVolumeDeviceToDosName.
Let me rephrase finally, can symbolic FileName’s (paths actually)
returned by PsSetLoadImageNotifyRoutine be converted
into something that can be easily converted to Dos names (kernel or
user)? I’m thinking/hoping I’m over complicating a simple thing…
Hope you understand what I’m asking, I’m extremely tired and having
problems articulating this, my apologies…
m
Maxim S. Shatskih wrote:
>Don or Max, is there a great way to get the DOS path for dependency
>files this function outputs (other than ZW routines).
>
>I would suggest to never use any drive letters in the kernel side of the
project.Use \?\Volume{guid} instead.
Reasons:
- the same volume can have several mount points, and the EXE can be launched
from any. My way will handle the EXE launched from the mount point the same way
as EXE launched from the drive letter. Other ways will not.- just more architecturally correct and easier to implement.
So, all IOCTL interfaces to the driver (to manage the permission rules table
and such) should use the volume GUID names. The UI - or the driver IOCTL
wrapper DLL - must convert any drive letters to GUID names.Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer