Hello,
In the driver, I have registered a callback routine using PsSetCreateProcessNotifyRoutine in order to keep track of all the processes created on the machine.
When I get the PID in the routine, I get the PID resolved to the process name with the help of a user mode application. Till that time the callback routine is waiting.
It may happen that, while the resolution (of PID to process name) is in progress, some other process may start and the system will try to call the callback routine. But the routine is busy (in resolution) and thus the callback will be missed.
What happens in such a case?
Will the callback routine for the second PID be running in parallel with the callback routine for first PID (which is busy resolving)?
OR
The callback routine will miss the second PID. (System will fail to call the routine for the second PID since it is already executing).
Thanks
Abhijit
I guess the next callback will be called independently (in parallel) but if you already have done what you wrote, why don’t test it yourself? It would probably take less time than writing this question 
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Abhijit[SMTP:xxxxx@yahoo.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, July 21, 2004 8:01 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Will PsSetCreateProcessNotifyRoutine get all PIDs
Hello,
In the driver, I have registered a callback routine using PsSetCreateProcessNotifyRoutine in order to keep track of all the processes created on the machine.
When I get the PID in the routine, I get the PID resolved to the process name with the help of a user mode application. Till that time the callback routine is waiting.
It may happen that, while the resolution (of PID to process name) is in progress, some other process may start and the system will try to call the callback routine. But the routine is busy (in resolution) and thus the callback will be missed.
What happens in such a case?
Will the callback routine for the second PID be running in parallel with the callback routine for first PID (which is busy resolving)?
OR
The callback routine will miss the second PID. (System will fail to call the routine for the second PID since it is already executing).
Thanks
Abhijit
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@upek.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Hi All,
I tested the callback routine by coding a simple loop which printed a string
on the debugger.
Then I started 5 instances of an application through my program (using
ShellExecute).
But I observed that the ProcessMonitor callback routine is called serially.
And it doesn’t miss any PID.
There is no problem waiting in the routine(since it is called at
PASSIVE_LEVEL), but the application (in whose creation routine we are
waiting) starts after we return from the callback routine. So one must avoid
waiting or spending too much of
time in Process creation callback routine.
That is what I could conclude.
Regards
Abhijijt.
“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
I guess the next callback will be called independently (in parallel) but if
you already have done what you wrote, why don’t test it yourself? It would
probably take less time than writing this question
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
> ----------
> From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on
behalf of Abhijit[SMTP:xxxxx@yahoo.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Wednesday, July 21, 2004 8:01 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Will PsSetCreateProcessNotifyRoutine get all PIDs
>
> Hello,
>
>
> In the driver, I have registered a callback routine using
PsSetCreateProcessNotifyRoutine in order to keep track of all the processes
created on the machine.
>
> When I get the PID in the routine, I get the PID resolved to the process
name with the help of a user mode application. Till that time the callback
routine is waiting.
>
> It may happen that, while the resolution (of PID to process name) is in
progress, some other process may start and the system will try to call the
callback routine. But the routine is busy (in resolution) and thus the
callback will be missed.
>
>
> What happens in such a case?
>
> Will the callback routine for the second PID be running in parallel with
the callback routine for first PID (which is busy resolving)?
> OR
> The callback routine will miss the second PID. (System will fail to call
the routine for the second PID since it is already executing).
>
>
>
> Thanks
> Abhijit
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Hi Michal,
Sorry. My previous conclusion was wrong.
This time I used KeDelayExecutionThread to in the callback routine and I
observed that the routine is indeed called in parallel.
Your guess was right. The callback routine is called in parallel. So missing
of PIDs is impossible
Thanks
Abhijit.
“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
I guess the next callback will be called independently (in parallel) but if
you already have done what you wrote, why don’t test it yourself? It would
probably take less time than writing this question
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
> ----------
> From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on
behalf of Abhijit[SMTP:xxxxx@yahoo.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Wednesday, July 21, 2004 8:01 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Will PsSetCreateProcessNotifyRoutine get all PIDs
>
> Hello,
>
>
> In the driver, I have registered a callback routine using
PsSetCreateProcessNotifyRoutine in order to keep track of all the processes
created on the machine.
>
> When I get the PID in the routine, I get the PID resolved to the process
name with the help of a user mode application. Till that time the callback
routine is waiting.
>
> It may happen that, while the resolution (of PID to process name) is in
progress, some other process may start and the system will try to call the
callback routine. But the routine is busy (in resolution) and thus the
callback will be missed.
>
>
> What happens in such a case?
>
> Will the callback routine for the second PID be running in parallel with
the callback routine for first PID (which is busy resolving)?
> OR
> The callback routine will miss the second PID. (System will fail to call
the routine for the second PID since it is already executing).
>
>
>
> Thanks
> Abhijit
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Abhijit,
it corresponds with docs which says callback is called in the context of created process. Serializing would be possible but could cause system wide problems. As you saw, you should avoid serialization with your app because a small error could deadlock whole system. Personally, I’d never wait for user mode code inside callback.
If I remember correctly (it is several years I used it), callback is called for any process already running immediatelly after callback install. No PID is missed.
Experiment is great thing but one shouldn’t depend (tto much on current behaviour especially when undocumented. OS implementation can change in the future, even in SP. Sorry for beeing pedantic
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Abhijit[SMTP:xxxxx@yahoo.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, July 22, 2004 2:30 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Will PsSetCreateProcessNotifyRoutine get all PIDs
Hi Michal,
Sorry. My previous conclusion was wrong.
This time I used KeDelayExecutionThread to in the callback routine and I
observed that the routine is indeed called in parallel.
Your guess was right. The callback routine is called in parallel. So missing
of PIDs is impossible
Thanks
Abhijit.
“Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> I guess the next callback will be called independently (in parallel) but if
> you already have done what you wrote, why don’t test it yourself? It would
> probably take less time than writing this question
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http:://www.upek.com]
>
> > ----------
> > From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on
> behalf of Abhijit[SMTP:xxxxx@yahoo.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Wednesday, July 21, 2004 8:01 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Will PsSetCreateProcessNotifyRoutine get all PIDs
> >
> > Hello,
> >
> >
> > In the driver, I have registered a callback routine using
> PsSetCreateProcessNotifyRoutine in order to keep track of all the processes
> created on the machine.
> >
> > When I get the PID in the routine, I get the PID resolved to the process
> name with the help of a user mode application. Till that time the callback
> routine is waiting.
> >
> > It may happen that, while the resolution (of PID to process name) is in
> progress, some other process may start and the system will try to call the
> callback routine. But the routine is busy (in resolution) and thus the
> callback will be missed.
> >
> >
> > What happens in such a case?
> >
> > Will the callback routine for the second PID be running in parallel with
> the callback routine for first PID (which is busy resolving)?
> > OR
> > The callback routine will miss the second PID. (System will fail to call
> the routine for the second PID since it is already executing).
> >
> >
> >
> > Thanks
> > Abhijit
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@upek.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Sorry that last is wrong, if any processes are running when your driver is
loaded, these will not be recorded. Otherwise, the data is correct, the
callback is actually part of the process startup, and will run in the
context of the process.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
Abhijit,
it corresponds with docs which says callback is called in the context of
created process. Serializing would be possible but could cause system wide
problems. As you saw, you should avoid serialization with your app because a
small error could deadlock whole system. Personally, I’d never wait for user
mode code inside callback.
If I remember correctly (it is several years I used it), callback is called
for any process already running immediatelly after callback install. No PID
is missed.
Experiment is great thing but one shouldn’t depend (tto much on current
behaviour especially when undocumented. OS implementation can change in the
future, even in SP. Sorry for beeing pedantic
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
> ----------
> From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on
behalf of Abhijit[SMTP:xxxxx@yahoo.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Thursday, July 22, 2004 2:30 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Will PsSetCreateProcessNotifyRoutine get all PIDs
>
> Hi Michal,
>
> Sorry. My previous conclusion was wrong.
> This time I used KeDelayExecutionThread to in the callback routine and I
> observed that the routine is indeed called in parallel.
> Your guess was right. The callback routine is called in parallel. So
missing
> of PIDs is impossible
>
> Thanks
> Abhijit.
>
>
> “Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> I guess the next callback will be called independently (in parallel) but
if
> you already have done what you wrote, why don’t test it yourself? It would
> probably take less time than writing this question
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http:://www.upek.com]
>
> > ----------
> > From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
on
> behalf of Abhijit[SMTP:xxxxx@yahoo.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Wednesday, July 21, 2004 8:01 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Will PsSetCreateProcessNotifyRoutine get all PIDs
> >
> > Hello,
> >
> >
> > In the driver, I have registered a callback routine using
> PsSetCreateProcessNotifyRoutine in order to keep track of all the
processes
> created on the machine.
> >
> > When I get the PID in the routine, I get the PID resolved to the process
> name with the help of a user mode application. Till that time the callback
> routine is waiting.
> >
> > It may happen that, while the resolution (of PID to process name) is in
> progress, some other process may start and the system will try to call the
> callback routine. But the routine is busy (in resolution) and thus the
> callback will be missed.
> >
> >
> > What happens in such a case?
> >
> > Will the callback routine for the second PID be running in parallel with
> the callback routine for first PID (which is busy resolving)?
> > OR
> > The callback routine will miss the second PID. (System will fail to call
> the routine for the second PID since it is already executing).
> >
> >
> >
> > Thanks
> > Abhijit
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@upek.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
You’re right, I didn’t remember correctly. Callback for running processes is only called when process exits. I should check it before posting; it was only matter of old driver loading and turning on traces.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Don Burn[SMTP:xxxxx@acm.org]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, July 22, 2004 7:24 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Will PsSetCreateProcessNotifyRoutine get all PIDs
Sorry that last is wrong, if any processes are running when your driver is
loaded, these will not be recorded. Otherwise, the data is correct, the
callback is actually part of the process startup, and will run in the
context of the process.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
“Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> Abhijit,
>
> it corresponds with docs which says callback is called in the context of
> created process. Serializing would be possible but could cause system wide
> problems. As you saw, you should avoid serialization with your app because a
> small error could deadlock whole system. Personally, I’d never wait for user
> mode code inside callback.
>
> If I remember correctly (it is several years I used it), callback is called
> for any process already running immediatelly after callback install. No PID
> is missed.
>
> Experiment is great thing but one shouldn’t depend (tto much on current
> behaviour especially when undocumented. OS implementation can change in the
> future, even in SP. Sorry for beeing pedantic
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http:://www.upek.com]
>
> > ----------
> > From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on
> behalf of Abhijit[SMTP:xxxxx@yahoo.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Thursday, July 22, 2004 2:30 PM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] Will PsSetCreateProcessNotifyRoutine get all PIDs
> >
> > Hi Michal,
> >
> > Sorry. My previous conclusion was wrong.
> > This time I used KeDelayExecutionThread to in the callback routine and I
> > observed that the routine is indeed called in parallel.
> > Your guess was right. The callback routine is called in parallel. So
> missing
> > of PIDs is impossible
> >
> > Thanks
> > Abhijit.
> >
> >
> > “Michal Vodicka” wrote in message
> > news:xxxxx@ntdev…
> > I guess the next callback will be called independently (in parallel) but
> if
> > you already have done what you wrote, why don’t test it yourself? It would
> > probably take less time than writing this question
> >
> > Best regards,
> >
> > Michal Vodicka
> > UPEK, Inc.
> > [xxxxx@upek.com, http:://www.upek.com]
> >
> > > ----------
> > > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on
> > behalf of Abhijit[SMTP:xxxxx@yahoo.com]
> > > Reply To: Windows System Software Devs Interest List
> > > Sent: Wednesday, July 21, 2004 8:01 AM
> > > To: Windows System Software Devs Interest List
> > > Subject: [ntdev] Will PsSetCreateProcessNotifyRoutine get all PIDs
> > >
> > > Hello,
> > >
> > >
> > > In the driver, I have registered a callback routine using
> > PsSetCreateProcessNotifyRoutine in order to keep track of all the
> processes
> > created on the machine.
> > >
> > > When I get the PID in the routine, I get the PID resolved to the process
> > name with the help of a user mode application. Till that time the callback
> > routine is waiting.
> > >
> > > It may happen that, while the resolution (of PID to process name) is in>
> > progress, some other process may start and the system will try to call the
> > callback routine. But the routine is busy (in resolution) and thus the
> > callback will be missed.
> > >
> > >
> > > What happens in such a case?
> > >
> > > Will the callback routine for the second PID be running in parallel with
> > the callback routine for first PID (which is busy resolving)?
> > > OR
> > > The callback routine will miss the second PID. (System will fail to call
> > the routine for the second PID since it is already executing).
> > >
> > >
> > >
> > > Thanks
> > > Abhijit
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@upek.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@upek.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>