ZwCurrentProcess

QV1 · October 20, 2011, 1:51pm

Hi,

I need to get some kind of Process Id from my driver dispatch for DeIoctl. I wonder why
ZwCurrentProcess() does not work. It always returns -1 no mater what process calls my driver.
Is it a known bug or I am doing something wrong ?

I am using WDK for Win7 and Win7 Ultimate 64. The calling process is 32-bit process.

So far I use IoGetCurrentProcess() and it works great.

Thanks

Doron_Holan · October 20, 2011, 1:57pm

IoGetCurrentProcess is more reliable since it can extract the request’s process while you are not in the current process’s context (ie from a work item). Why do you need to validate the current process during IOCTL processing though? Typically this is a one time check in the irp_mj_create path, store the results of the check in the file object and just check that field in the ioctl handler.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Thursday, October 20, 2011 10:54 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] ZwCurrentProcess

Hi,

I need to get some kind of Process Id from my driver dispatch for DeIoctl. I wonder why
ZwCurrentProcess() does not work. It always returns -1 no mater what process calls my driver.
Is it a known bug or I am doing something wrong ?

I am using WDK for Win7 and Win7 Ultimate 64. The calling process is 32-bit process.

So far I use IoGetCurrentProcess () and it works great.

Thanks

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Don_Burn · October 20, 2011, 2:03pm

Read the documentation more carefully, ZwCurrentProcess returns a
special handle value that represents the current process. It is a
handle value you can use for other calls, and -1 is the “special handle
value”.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@hotmail.com” wrote in message
news:xxxxx@ntdev:

> Hi,
>
> I need to get some kind of Process Id from my driver dispatch for DeIoctl. I wonder why
> ZwCurrentProcess() does not work. It always returns -1 no mater what process calls my driver.
> Is it a known bug or I am doing something wrong ?
>
> I am using WDK for Win7 and Win7 Ultimate 64. The calling process is 32-bit process.
>
> So far I use IoGetCurrentProcess() and it works great.
>
> Thanks

QV1 · October 20, 2011, 2:13pm

Yeah. I read the doc on ZwCurrentProcess and I know that the value return is not a true handle but I would still expect that the “special handle” is unique for different processes. If it returns the same value for all process then what ZwCurrentProcess is use for ?

Don_Burn · October 20, 2011, 2:20pm

It is used for things like ZwOpenProcessTokenEx which takes a handle to
a process.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@hotmail.com” wrote in message
news:xxxxx@ntdev:

> Yeah. I read the doc on ZwCurrentProcess and I know that the value return is not a true handle but I would still expect that the “special handle” is unique for different processes. If it returns the same value for all process then what ZwCurrentProcess is use for ?

OSR_Community_User · October 20, 2011, 5:23pm

Officially, it returns a handle to the current process, which is used in
contexts where I want to say “me”. In application space we refer to these
as “pseudo-handles” and the whole point of this is you have a handle token
for “me” which does not require creating a new handle, which would then
have to be closed. Essentially, this week, for the current version of
Windows, with the current set of hotfixes, that value just happens to be
-1. The reason for the call is in case next week Microsoft decides that
“me” is 0x454D454D (which, if I’ve counted the alphabet properly, is the
character literal ‘meme’). The rule in application space is that if you
need a real process handle, you call DuplicateHandle giving the result of
GetCurentProcess (the user API) as the source handle. It the constructs a
real handle from the pseudo-handle, and the application writer must
remember to call CloseHandle on that handle. So what you are seeing is
the kernel equivalent to the logic.
joe

Yeah. I read the doc on ZwCurrentProcess and I know that the value return
is not a true handle but I would still expect that the “special handle” is
unique for different processes. If it returns the same value for all
process then what ZwCurrentProcess is use for ?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

MBond · October 20, 2011, 6:18pm

Why would you check this on every IOCTL instead of once when the handle is
created? Or better yet, use an appropriate security descriptor so that the
OS does it for you and unauthorized processes just can’t open handles.

wrote in message news:xxxxx@ntdev…

Hi,

I need to get some kind of Process Id from my driver dispatch for DeIoctl. I
wonder why
ZwCurrentProcess() does not work. It always returns -1 no mater what process
calls my driver.
Is it a known bug or I am doing something wrong ?

I am using WDK for Win7 and Win7 Ultimate 64. The calling process is 32-bit
process.

So far I use IoGetCurrentProcess() and it works great.

Thanks