Hi All,
I have a driver which keeps a table of information about all
processes.The table content is process id and the process name. We are
registering for a callback function using kernel api
PsSetCreateProcessNotifyRoutine, which will get called each time when a
process is created. It gives us the process id of the process created. As
there is no option to get process name from the kernelmode, to get the
process name we contact a usermode application with the obtained process id.
The user mode app waits by calling an ioctl to the driver. The driver
returns back the the ioctls with the process id of the newly created
porocess. Then applicaion calls the usermode api ,PSAPI,
EnumProcessModules() to get the fullpath name of the process. The problem is
that the EnumProcessModules() fails with an error code
ERR_PARTIAL_COPY(“Only part of a ReadProcessMemory or WriteProcessMemory
request was completed.”). After waiting for a 100 millisecond we are trying
the api again,msdn not says this method. Some times it takes about 1000
times for this api to succeed . Is there any other method to call this api.
Is there any other way to get the process name from the drivermode itself.
Can anyone guide me a way to get out of this problem? All comments are
highly welcome.
Environment : XP Proffesional.
TIA,
binoj.
> Hi All,
I have a driver which keeps a table of information about all
processes.The table content is process id and the process name. We are
registering for a callback function using kernel api
PsSetCreateProcessNotifyRoutine, which will get called each time when a
process is created. It gives us the process id of the process created. As
there is no option to get process name from the kernelmode, to get the
process name we contact a usermode application with the obtained process id.
The user mode app waits by calling an ioctl to the driver. The driver
returns back the the ioctls with the process id of the newly created
porocess. Then applicaion calls the usermode api ,PSAPI,
EnumProcessModules() to get the fullpath name of the process. The problem is
that the EnumProcessModules() fails with an error code
ERR_PARTIAL_COPY(“Only part of a ReadProcessMemory or WriteProcessMemory
request was completed.”). After waiting for a 100 millisecond we are trying
the api again,msdn not says this method. Some times it takes about 1000
times for this api to succeed . Is there any other method to call this api.
Is there any other way to get the process name from the drivermode itself.
Can anyone guide me a way to get out of this problem? All comments are
highly welcome.
First from EnumProcessModules you are getting the EXECUTABLE NAME not the
process name. If you do want the executable name your method has the
problem
that the PsSetCreateProcessNotifyRoutine callback is called before the
executable module is loaded. You should consider using
PsSetLoadImageNotifyRoutine to get the executable name, note: this does
mean your driver cannot be unloaded.
Don Burn
Egenera, Inc
Why you need process names in a driver? Are PIDs not enough?
Mapping a PID to process name can be done in user code.
Max
----- Original Message -----
From: “BINOJ P G”
To: “NT Developers Interest List”
Sent: Monday, November 25, 2002 5:11 PM
Subject: [ntdev] To Get Process name from kernel mode.
> Hi All,
> I have a driver which keeps a table of information about all
> processes.The table content is process id and the process name. We
are
> registering for a callback function using kernel api
> PsSetCreateProcessNotifyRoutine, which will get called each time
when a
> process is created. It gives us the process id of the process
created. As
> there is no option to get process name from the kernelmode, to get
the
> process name we contact a usermode application with the obtained
process id.
> The user mode app waits by calling an ioctl to the driver. The
driver
> returns back the the ioctls with the process id of the newly created
> porocess. Then applicaion calls the usermode api ,PSAPI,
> EnumProcessModules() to get the fullpath name of the process. The
problem is
> that the EnumProcessModules() fails with an error code
> ERR_PARTIAL_COPY(“Only part of a ReadProcessMemory or
WriteProcessMemory
> request was completed.”). After waiting for a 100 millisecond we are
trying
> the api again,msdn not says this method. Some times it takes about
1000
> times for this api to succeed . Is there any other method to call
this api.
> Is there any other way to get the process name from the drivermode
itself.
> Can anyone guide me a way to get out of this problem? All comments
are
> highly welcome.
>
> Environment : XP Proffesional.
>
> TIA,
> binoj.
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>
Problem in using “PsSetLoadImageNotifyRoutine” is that it gets the name of
all the modules whenever an image is loaded for execution (exes as well as
dlls). From this how can we identify whether it is an exe or a dll?
-----Original Message-----
From: xxxxx@acm.org [mailto:xxxxx@acm.org]
Sent: Monday, November 25, 2002 8:19 PM
To: NT Developers Interest List
Subject: [ntdev] Re: To Get Process name from kernel mode.
Hi All,
I have a driver which keeps a table of information about all
processes.The table content is process id and the process name. We are
registering for a callback function using kernel api
PsSetCreateProcessNotifyRoutine, which will get called each time when a
process is created. It gives us the process id of the process created. As
there is no option to get process name from the kernelmode, to get the
process name we contact a usermode application with the obtained process
id.
The user mode app waits by calling an ioctl to the driver. The driver
returns back the the ioctls with the process id of the newly created
porocess. Then applicaion calls the usermode api ,PSAPI,
EnumProcessModules() to get the fullpath name of the process. The problem
is
that the EnumProcessModules() fails with an error code
ERR_PARTIAL_COPY(“Only part of a ReadProcessMemory or WriteProcessMemory
request was completed.”). After waiting for a 100 millisecond we are
trying
the api again,msdn not says this method. Some times it takes about 1000
times for this api to succeed . Is there any other method to call this
api.
Is there any other way to get the process name from the drivermode itself.
Can anyone guide me a way to get out of this problem? All comments are
highly welcome.
First from EnumProcessModules you are getting the EXECUTABLE NAME not the
process name. If you do want the executable name your method has the
problem
that the PsSetCreateProcessNotifyRoutine callback is called before the
executable module is loaded. You should consider using
PsSetLoadImageNotifyRoutine to get the executable name, note: this does
mean your driver cannot be unloaded.
Don Burn
Egenera, Inc
You are currently subscribed to ntdev as: xxxxx@nestec.net
To unsubscribe send a blank email to %%email.unsub%%
> Hi All,
I have a driver which keeps a table of information about all
processes.The table content is process id and the process name. We are
registering for a callback function using kernel api
PsSetCreateProcessNotifyRoutine, which will get called each time when a
process is created. It gives us the process id of the process created. As
there is no option to get process name from the kernelmode, to get the
process name we contact a usermode application with the obtained process
id.
The user mode app waits by calling an ioctl to the driver. The driver
returns back the the ioctls with the process id of the newly created
porocess. Then applicaion calls the usermode api ,PSAPI,
EnumProcessModules() to get the fullpath name of the process. The problem
is
that the EnumProcessModules() fails with an error code
ERR_PARTIAL_COPY(“Only part of a ReadProcessMemory or WriteProcessMemory
request was completed.”). After waiting for a 100 millisecond we are
trying
the api again,msdn not says this method. Some times it takes about 1000
times for this api to succeed . Is there any other method to call this
api.
Is there any other way to get the process name from the drivermode itself.
Can anyone guide me a way to get out of this problem? All comments are
highly welcome.
Hi !
In my debug version I use undocumented(!?) internal structure
to spy my driver. It works on W2k. Maybe on XP ?
const char *GetCurrentProcessName(void)
{
const char *pex = (const char *)IoGetCurrentProcess();
if (pex != NULL)
{
pex+=0x1fc;
}
return pex;
}
GetCurrentProcessName returns NULL or process name.
Grzegorz Malicki
Grzegorz Malicki wrote:
In my debug version I use undocumented(!?) internal structure
to spy my driver. It works on W2k. Maybe on XP ?
const char *GetCurrentProcessName(void)
{
const char *pex = (const char *)IoGetCurrentProcess();
if (pex != NULL)
{
pex+=0x1fc;
}
return pex;
}
GetCurrentProcessName returns NULL or process name.
This offset has changed almost every major revision of the ntoskrnl,
so this is not something people should use. If you are going to use
this technique, look at how Sysinternal did it with checking for the
known processs name in the block, while not perfect this is at least
somewhat safer.
Note that while the original requestor said process name he was asking
for the executing module, these are not the same.
Don Burn
Egenera, Inc
> This offset has changed almost every major revision of the ntoskrnl,
so this is not something people should use.
I use it ONLY for MY test/debug version to log function, arguments …
and process name 
If you are going to use this technique, look at how Sysinternal
did it with checking for the known processs name in the block,
while not perfect this is at least somewhat safer.
Could you give a URL ? (http://www.sysinternals.com/ and ???)
Note that while the original requestor said process name he was asking
for the executing module, these are not the same.
Sorry.
Grzegorz Malicki
By the way … consider WinNT 4.0
- run iexplore.exe -> get process name
- rename the file to qqq.exe
- run qqq.exe and you will get iexplore.exe as a process name …
I just wonder, why ?
DB> Grzegorz Malicki wrote:
>
> In my debug version I use undocumented(!?) internal structure
> to spy my driver. It works on W2k. Maybe on XP ?
>
> const char *GetCurrentProcessName(void)
> {
> const char *pex = (const char *)IoGetCurrentProcess();
> if (pex != NULL)
> {
> pex+=0x1fc;
> }
> return pex;
> }
>
> GetCurrentProcessName returns NULL or process name.
>
DB> This offset has changed almost every major revision of the ntoskrnl,
DB> so this is not something people should use. If you are going to use
DB> this technique, look at how Sysinternal did it with checking for the
DB> known processs name in the block, while not perfect this is at least
DB> somewhat safer.
DB> Note that while the original requestor said process name he was asking
DB> for the executing module, these are not the same.
DB> Don Burn
DB> Egenera, Inc
DB> —
DB> You are currently subscribed to ntdev as: xxxxx@yandex.ru
DB> To unsubscribe send a blank email to %%email.unsub%%
–
Best regards,
foxgen mailto:xxxxx@yandex.ru
Exe will always be the first image that is mapped in a process address
space.
Bi
-----Original Message-----
From: GEORGE MATHEW [mailto:xxxxx@nestec.net]
Sent: Monday, November 25, 2002 9:28 PM
To: NT Developers Interest List
Subject: [ntdev] Re: To Get Process name from kernel mode.
Problem in using “PsSetLoadImageNotifyRoutine” is that it gets the name of
all the modules whenever an image is loaded for execution (exes as well as
dlls). From this how can we identify whether it is an exe or a dll?
-----Original Message-----
From: xxxxx@acm.org [mailto:xxxxx@acm.org]
Sent: Monday, November 25, 2002 8:19 PM
To: NT Developers Interest List
Subject: [ntdev] Re: To Get Process name from kernel mode.
Hi All,
I have a driver which keeps a table of information about all
processes.The table content is process id and the process name. We are
registering for a callback function using kernel api
PsSetCreateProcessNotifyRoutine, which will get called each time when a
process is created. It gives us the process id of the process created. As
there is no option to get process name from the kernelmode, to get the
process name we contact a usermode application with the obtained process
id.
The user mode app waits by calling an ioctl to the driver. The driver
returns back the the ioctls with the process id of the newly created
porocess. Then applicaion calls the usermode api ,PSAPI,
EnumProcessModules() to get the fullpath name of the process. The problem
is
that the EnumProcessModules() fails with an error code
ERR_PARTIAL_COPY(“Only part of a ReadProcessMemory or WriteProcessMemory
request was completed.”). After waiting for a 100 millisecond we are
trying
the api again,msdn not says this method. Some times it takes about 1000
times for this api to succeed . Is there any other method to call this
api.
Is there any other way to get the process name from the drivermode itself.
Can anyone guide me a way to get out of this problem? All comments are
highly welcome.
First from EnumProcessModules you are getting the EXECUTABLE NAME not the
process name. If you do want the executable name your method has the
problem
that the PsSetCreateProcessNotifyRoutine callback is called before the
executable module is loaded. You should consider using
PsSetLoadImageNotifyRoutine to get the executable name, note: this does
mean your driver cannot be unloaded.
Don Burn
Egenera, Inc
You are currently subscribed to ntdev as: xxxxx@nestec.net
To unsubscribe send a blank email to %%email.unsub%%
You are currently subscribed to ntdev as: xxxxx@appstream.com
To unsubscribe send a blank email to %%email.unsub%%
Maybe this is because the process name is the PE binary name from the
PE header and not the file name?
Max
----- Original Message -----
From: “xxxxx@yandex”
To: “NT Developers Interest List”
Sent: Tuesday, November 26, 2002 3:19 PM
Subject: [ntdev] Re: To Get Process name from kernel mode.
> By the way … consider WinNT 4.0
> 1. run iexplore.exe -> get process name
> 2. rename the file to qqq.exe
> 3. run qqq.exe and you will get iexplore.exe as a process name …
>
> I just wonder, why ?
>
> DB> Grzegorz Malicki wrote:
> >>
> >> In my debug version I use undocumented(!?) internal structure
> >> to spy my driver. It works on W2k. Maybe on XP ?
> >>
> >> const char *GetCurrentProcessName(void)
> >> {
> >> const char *pex = (const char *)IoGetCurrentProcess();
> >> if (pex != NULL)
> >> {
> >> pex+=0x1fc;
> >> }
> >> return pex;
> >> }
> >>
> >> GetCurrentProcessName returns NULL or process name.
> >>
>
> DB> This offset has changed almost every major revision of the
ntoskrnl,
> DB> so this is not something people should use. If you are going
to use
> DB> this technique, look at how Sysinternal did it with checking for
the
> DB> known processs name in the block, while not perfect this is at
least
> DB> somewhat safer.
>
> DB> Note that while the original requestor said process name he was
asking
> DB> for the executing module, these are not the same.
>
> DB> Don Burn
> DB> Egenera, Inc
>
>
>
>
>
> DB> —
> DB> You are currently subscribed to ntdev as: xxxxx@yandex.ru
> DB> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
>
> –
> Best regards,
> foxgen mailto:xxxxx@yandex.ru
>
>
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>
No …
if you first rename the file, then run it - process name will be as a
renamed file…
I think it’s a microsoft bug, but they wont tell how to determine
process name correctly I guess …
MSS> Maybe this is because the process name is the PE binary name from the
MSS> PE header and not the file name?
MSS> Max
MSS> ----- Original Message -----
MSS> From: “xxxxx@yandex”
MSS> To: “NT Developers Interest List”
MSS> Sent: Tuesday, November 26, 2002 3:19 PM
MSS> Subject: [ntdev] Re: To Get Process name from kernel mode.
>> By the way … consider WinNT 4.0
>> 1. run iexplore.exe -> get process name
>> 2. rename the file to qqq.exe
>> 3. run qqq.exe and you will get iexplore.exe as a process name …
>>
>> I just wonder, why ?
–
Best regards,
foxgen mailto:xxxxx@yandex.ru
I think we are going away from the original problem - “How To Get Process
name from kernel mode.”
As suggested by Burn we tried "PsSetLoadImageNotifyRoutine() ". This gives
us the callback on every image load [Exe, dll etc]. Whereas
PsSetCreateProcessNotifyRoutine() gives us only one callback for each
process name. One finding is that the first callback is always the exe’s
image having the process name [Maxim, This is the file name not the PE
Header as you told. foxgen is right here].
Now I want to make sure whether this first image loaded is always the
process’s image and not the associated dll’s.
-----Original Message-----
From: xxxxx@yandex [mailto:xxxxx@yandex.ru]
Sent: Wednesday, November 27, 2002 12:58 PM
To: NT Developers Interest List
Subject: [ntdev] Re: To Get Process name from kernel mode.
No …
if you first rename the file, then run it - process name will be as a
renamed file…
I think it’s a microsoft bug, but they wont tell how to determine
process name correctly I guess …
MSS> Maybe this is because the process name is the PE binary name from the
MSS> PE header and not the file name?
MSS> Max
MSS> ----- Original Message -----
MSS> From: “xxxxx@yandex”
MSS> To: “NT Developers Interest List”
MSS> Sent: Tuesday, November 26, 2002 3:19 PM
MSS> Subject: [ntdev] Re: To Get Process name from kernel mode.
>> By the way … consider WinNT 4.0
>> 1. run iexplore.exe -> get process name
>> 2. rename the file to qqq.exe
>> 3. run qqq.exe and you will get iexplore.exe as a process name …
>>
>> I just wonder, why ?
–
Best regards,
foxgen mailto:xxxxx@yandex.ru
—
You are currently subscribed to ntdev as: xxxxx@nestec.net
To unsubscribe send a blank email to %%email.unsub%%
I’ve noticed the same behaviour in W2K.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@yandex
Sent: Wednesday, November 27, 2002 2:28 AM
To: NT Developers Interest List
Subject: [ntdev] Re: To Get Process name from kernel mode.
No …
if you first rename the file, then run it - process name will be as a
renamed file…
I think it’s a microsoft bug, but they wont tell how to determine
process name correctly I guess …
MSS> Maybe this is because the process name is the PE binary name from the
MSS> PE header and not the file name?
MSS> Max
MSS> ----- Original Message -----
MSS> From: “xxxxx@yandex”
MSS> To: “NT Developers Interest List”
MSS> Sent: Tuesday, November 26, 2002 3:19 PM
MSS> Subject: [ntdev] Re: To Get Process name from kernel mode.
>> By the way … consider WinNT 4.0
>> 1. run iexplore.exe -> get process name
>> 2. rename the file to qqq.exe
>> 3. run qqq.exe and you will get iexplore.exe as a process name …
>>
>> I just wonder, why ?
–
Best regards,
foxgen mailto:xxxxx@yandex.ru
—
You are currently subscribed to ntdev as: xxxxx@relicore.com
To unsubscribe send a blank email to %%email.unsub%%
“Stanislaw Kowalczyk” wrote in message
news:xxxxx@ntdev…
>
> I’ve noticed the same behaviour in W2K.
>
>
> MSS> Maybe this is because the process name is the PE binary name from the
> MSS> PE header and not the file name?
>
> MSS> Max
>
Max actually got it right.
NT Internals 201: Neither processes objects nor thread objects are named
objects. So, strictly speaking, processes don’t have a “name”.
Processes are internally identified by a process unique ID value.
For ease in debugging, tracking, and reporting, each EPROCESS data structure
contains the first few (I can never remember how many…) characters of name
of the image file from which it was created. Obviously, this is not unique
(running c:\fred\bob\myimage.exe and c:\windows\system32\myimage.exe both
result in a process with an image name of “myimage”), so it can’t be relied
on for anyting other than information and amusement.
Peter
OSR
About that “process unique ID value”: Is this unique until the next
boot, or can it be reused if the process terminates? Same question about
threads. I ask because there are some problems that can be easily solved
if one knows the id (token, whatever) of the original caller of a
service that’s asynchronous.
–
If replying by e-mail, please remove “nospam.” from the address.
James Antognini