Will the call to PsGetCurrentProcessId() in PostCreate return the correct process opening the file?

PsGetCurrentProcessId() does get the correct process id opening a file in PreCreate but what about calling PsGetCurrentProcessId() in PostCreate?

No, you cannot rely on it (even though it would contradict some rules).
Use FltGetRequestorProcess(Id) instead

1 Like

Related, despite what the documentation infers you cannot and must not rely on being called back in the same thread if you specify FLT_PREOP_SYNCHRONIZE (which is inferred for a Create if you said PREOP_SUCCESS_WITH_CALLBACK).

Callback during instance teardown come back in arbitrary context. I'm not sure that MJ_CREATE behaves like that but I'd not take the risk.

OK so I will call PsGetCurrentProcessId() in PreCreate and pass the PID through CompletionContext to PostCreate.

Why not call FltGetRequestorProcessId(cbd) in post like @Dejan_Maksimovic suggested?

What are you trying to achieve? There are interesting cases you can construct (upper filter pends and posts the CBD) in which PsGetCurrentProcessId() will not be the process Id of the process that called NtCreateFile.

1 Like

I want to give access to files in a directory to a process only after verifying the executable's path and its checksum (SHA2). This is part of an encryption filter driver. I am calculating the checksum in CreateProcessNotify() callback.

My bad, I misunderstood your reply to be opposing what @Dejan_Maksimovic said.

You might want to investigate the security context because of impersonation issues

Thanks for the heads-up Rod. Will investigate that.