To many events in PostCreat!

OSR_Community_User · January 15, 2008, 6:55am

In my PostCreat I get several events per sec without do anything.
These events most come from the system I suppose.
Can I filter them out so I only get the events from the user?

Regards
Mattias Bergkvist

OSR_Community_User · January 15, 2008, 7:16am

xxxxx@netcleantech.com wrote:

In my PostCreat I get several events per sec without do anything.
These events most come from the system I suppose.
Can I filter them out so I only get the events from the user?

Just a hint: If you want to filter the events from just a given process,
you can use FltGetRequestorProcessId with the process’ ID.

have a nice day,

Sandor LUKACS

Ayush_Gupta-2 · January 15, 2008, 7:27am

Hi Mattias,

In my PostCreat I get several events per sec without do anything.
These events most come from the system I suppose.
Can I filter them out so I only get the events from the user?

You can call FltGetRequestorProcessId in your routine to find out the requestor process.

You can just check out the process ID of “System” process filter out the request. The process ID of System varies across OS versions. In some it is 8 and in some 4.

NOTE: It is not necessary for you to do something to get Create callbacks. Many apps just keep on doing file activity. For example an antivirus can do scanning in the background.

Regards,
Ayush Gupta

OSR_Community_User · January 15, 2008, 7:42am

Thanks for the answers Sandor and Ayush.

I think it is a good idea to check the process ID and filter the system ID out.
How can I get the process ID of the system?

Regards
Mattias Bergkvist

OSR_Community_User · January 15, 2008, 8:01am

> How can I get the process ID of the system?

PsGetCurrentProcessId in DriverEntry.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · January 15, 2008, 8:13am

xxxxx@netcleantech.com wrote:

Thanks for the answers Sandor and Ayush.

I think it is a good idea to check the process ID and filter the system ID out.

I think, it depends… If you just want to filter out for debugging
purposes, it might be a good idea. But, in many cases you might find
out, that some part of the OS writes on behalf of your thread in a
different context (system for example). AFAIK, for example the modified
page writer generates writes to files from the system context. This
might or might not be of interest for your particular needs. (Also, it
is likely that IRP_MJ_WRITE is just an example from many).

How can I get the process ID of the system?
AFAIK, PsGetCurrentProcessId() at the beginning of DriverEntry() shall
do it.

Sandor LUKACS

Daniel_Terhell · January 15, 2008, 8:27am

Another way is to call PsIsSystemThread with your callback data’s Thread
parameter.

/Daniel

wrote in message news:xxxxx@ntfsd…
> Thanks for the answers Sandor and Ayush.
>
> I think it is a good idea to check the process ID and filter the system ID
> out.
> How can I get the process ID of the system?
>
> Regards
> Mattias Bergkvist
>