[Win 7 32-bit] Having Process ID, using ZwQueryInformationProcess, need to receive image name. Here is the code. Regardless, the call fails with status: 0x842aa800. Any idea?
I tried dynamic link version. It did not really make any difference.
The link mentions this call may not be supported in the future:
http://msdn.microsoft.com/en-us/library/ms687420(VS.85).aspx
Is there any other way?
Thx
NTSTATUS PName(HANDLE PID, PUNICODE_STRING PImgName)
{
NTSTATUS status;
ULONG rLen;
PVOID buf;
PUNICODE_STRING iName;
#define MXSZ 512
buf = ExAllocatePoolWithTag(NonPagedPool, MXSZ * sizeof (WCHAR), YT);
if (NULL == buf) {
Kd_Print((" ExAllocatePoolWithTag failed \n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
status = ZwQueryInformationProcess( PID, ProcessImageFileName, buf,MXSZ * sizeof (WCHAR), &rLen);
if (NT_SUCCESS(status)) {
. . .
Kd_Print((" PImgName<%wZ> NT_SUCCESS \n"), PImgName);
}
}
else Kd_Print((" ZwQueryInformationProcess fail status < 0x%x >\n"), status);
ExFreePool(buf);
return status;
}
ZwQueryInformationProcess requires a process handle. You have passed process
ID to it.
Regards,
Ayush Gupta
AI Consulting.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Wednesday, March 24, 2010 9:44 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] ZwQueryInformationProcess failure
[Win 7 32-bit] Having Process ID, using ZwQueryInformationProcess, need to
receive image name. Here is the code. Regardless, the call fails with
status: 0x842aa800. Any idea?
I tried dynamic link version. It did not really make any difference.
The link mentions this call may not be supported in the future:
http://msdn.microsoft.com/en-us/library/ms687420(VS.85).aspx
Is there any other way?
Thx
NTSTATUS PName(HANDLE PID, PUNICODE_STRING PImgName)
{
NTSTATUS status;
ULONG rLen;
PVOID buf;
PUNICODE_STRING iName;
#define MXSZ 512
buf = ExAllocatePoolWithTag(NonPagedPool, MXSZ * sizeof (WCHAR),
YT);
if (NULL == buf) {
Kd_Print((" ExAllocatePoolWithTag failed \n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
status = ZwQueryInformationProcess( PID, ProcessImageFileName, buf,MXSZ
* sizeof (WCHAR), &rLen);
if (NT_SUCCESS(status)) {
. . .
Kd_Print((" PImgName<%wZ> NT_SUCCESS \n"),
PImgName);
}
}
else Kd_Print((" ZwQueryInformationProcess fail status < 0x%x >\n"),
status);
ExFreePool(buf);
return status;
}
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I think OP is passing handle only though he has named it PID which looks
misleading.
Type of PID is HANDLE (I am not sure whether he is passing a ULONG from
callee and typecasting it as HANDLE in PName).
I think you are not passing properly initialized UNICODE_STRING.
For “ProcessImageFileName” You need to provide a pointer to UNICODE_STRING
for "*ProcessInformation* " parameter.
Read the documentation carefully -
http://msdn.microsoft.com/en-us/library/ms687420(VS.85).aspxhttp:(it
can be altered in future versions also)
Regards
Deepak
On Wed, Mar 24, 2010 at 9:50 AM, Ayush Gupta wrote:
> ZwQueryInformationProcess requires a process handle. You have passed
> process
> ID to it.
>
> Regards,
> Ayush Gupta
> AI Consulting.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@gmail.com
> Sent: Wednesday, March 24, 2010 9:44 AM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] ZwQueryInformationProcess failure
>
> [Win 7 32-bit] Having Process ID, using ZwQueryInformationProcess, need to
> receive image name. Here is the code. Regardless, the call fails with
> status: 0x842aa800. Any idea?
> I tried dynamic link version. It did not really make any difference.
> The link mentions this call may not be supported in the future:
> http://msdn.microsoft.com/en-us/library/ms687420(VS.85).aspxhttp:
> Is there any other way?
>
> Thx
>
> NTSTATUS PName(HANDLE PID, PUNICODE_STRING PImgName)
> {
> NTSTATUS status;
> ULONG rLen;
> PVOID buf;
> PUNICODE_STRING iName;
> #define MXSZ 512
> buf = ExAllocatePoolWithTag(NonPagedPool, MXSZ * sizeof (WCHAR),
> YT);
> if (NULL == buf) {
> Kd_Print((" ExAllocatePoolWithTag failed \n"));
> return STATUS_INSUFFICIENT_RESOURCES;
> }
> status = ZwQueryInformationProcess( PID, ProcessImageFileName, buf,MXSZ
> * sizeof (WCHAR), &rLen);
> if (NT_SUCCESS(status)) {
> . . .
> Kd_Print((" PImgName<%wZ> NT_SUCCESS \n"),
> PImgName);
> }
> }
> else Kd_Print((" ZwQueryInformationProcess fail status < 0x%x >\n"),
> status);
> ExFreePool(buf);
> return status;
> }
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></http:></http:>
Yes, Thanks for pointing out my mistake. Need to use Process Handle. Any sample code available for getting Process Handle? PsGetCurrentProcess returns EPROCESS. How one can obtain a process Handle from this?
Thx
PsGetCurrentProcessId returns the handle. Read the documentation a
little, don’t just ask questions.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@gmail.com [mailto:xxxxx@gmail.com]
Posted At: Wednesday, March 24, 2010 9:11 AM
Posted To: ntfsd
Conversation: ZwQueryInformationProcess failure
Subject: RE: ZwQueryInformationProcess failure
Yes, Thanks for pointing out my mistake. Need to use Process Handle.
Any
sample code available for getting Process Handle? PsGetCurrentProcess
returns
EPROCESS. How one can obtain a process Handle from this?
Thx
__________ Information from ESET Smart Security, version of virus
signature
database 4970 (20100324) __________
The message was checked by ESET Smart Security.
http://www.eset.com
Hi Don,
PsGetCurrentProcessId returns the handle. Read the documentation a
little, don’t just ask questions.
PsGetCurrentProcessId returns the process ID. The OP wants the process handle which he needs to get by ZwOpenProcess in my opinion.
Probably you meant ZwOpenProcess instead of PsGetCurrentProcessId?
To OP: Kindly consider searching the archives first!
Regards,
Ayush Gupta
AI Consulting
Don,
PsGetCurrentProcessId returns a process ID. He needs the process handle.
One way to get a handle from the process ID is to call ZwOpenProcess.
According to the documentation Vista added FltGetRequestorProcessIdEx which
returns the process handle.
Bill Wandel
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Wednesday, March 24, 2010 9:21 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] ZwQueryInformationProcess failure
PsGetCurrentProcessId returns the handle. Read the documentation a little,
don’t just ask questions.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@gmail.com [mailto:xxxxx@gmail.com] Posted At:
Wednesday, March 24, 2010 9:11 AM Posted To: ntfsd
Conversation: ZwQueryInformationProcess failure
Subject: RE: ZwQueryInformationProcess failure
Yes, Thanks for pointing out my mistake. Need to use Process Handle.
Any
sample code available for getting Process Handle? PsGetCurrentProcess
returns
EPROCESS. How one can obtain a process Handle from this?
Thx
__________ Information from ESET Smart Security, version of virus
signature
database 4970 (20100324) __________
The message was checked by ESET Smart Security.
http://www.eset.com
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars (including our new fs
mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Process IDs are handles, they come out of a global table in the O/S
(PspCidTable). Incidentally, thread IDs are also handles and they come out
of the same table as the process IDs (good bit of Windows trivia for the
next time you’re at a party).
However, this doesn’t mean that you can just use it as a parameter to a
function that needs a process handle. Those are expecting you to have a
valid handle to the process in *your* process’ handle table (which
ZwOpenProcess will do for you).
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Bill Wandel” wrote in message news:xxxxx@ntfsd…
> Don,
>
> PsGetCurrentProcessId returns a process ID. He needs the process handle.
> One way to get a handle from the process ID is to call ZwOpenProcess.
> According to the documentation Vista added FltGetRequestorProcessIdEx
> which
> returns the process handle.
>
> Bill Wandel
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
> Sent: Wednesday, March 24, 2010 9:21 AM
> To: Windows File Systems Devs Interest List
> Subject: RE:[ntfsd] ZwQueryInformationProcess failure
>
> PsGetCurrentProcessId returns the handle. Read the documentation a
> little,
> don’t just ask questions.
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
>> -----Original Message-----
>> From: xxxxx@gmail.com [mailto:xxxxx@gmail.com] Posted At:
>> Wednesday, March 24, 2010 9:11 AM Posted To: ntfsd
>> Conversation: ZwQueryInformationProcess failure
>> Subject: RE: ZwQueryInformationProcess failure
>>
>> Yes, Thanks for pointing out my mistake. Need to use Process Handle.
> Any
>> sample code available for getting Process Handle? PsGetCurrentProcess
> returns
>> EPROCESS. How one can obtain a process Handle from this?
>>
>> Thx
>>
>>
>> Information from ESET Smart Security, version of virus
> signature
>> database 4970 (20100324)
>>
>> The message was checked by ESET Smart Security.
>>
>> http://www.eset.com
>>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars (including our new
> fs
> mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> Yes, Thanks for pointing out my mistake. Need to use Process Handle. Any sample code available
for getting Process Handle?
PsLookupProcessByProcessId + ObOpenObjectByPointer
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Thanks for everyone who pointed me to two different ways to solve the issue. Here is one of them I implemented and worked that I am posting for the future questions on the subject:
CLIENT_ID clientId;
OBJECT_ATTRIBUTES objAttr;
HANDLE hProcess = NULL;
clientId.UniqueProcess = PsGetCurrentProcessId();
clientId.UniqueThread = NULL;
InitializeObjectAttributes(
&objAttr,
NULL,
0,
NULL,
NULL);
status = ZwOpenProcess(
&hProcess,
PROCESS_ALL_ACCESS,
&objAttr,
&clientId);
if( !NT_SUCCESS(status) )
{
KdPrint((“ZwOpenProcess failed\n”));
return status;
}
…
status = ZwQueryInformationProcess( hProcess,
ProcessImageFileName,
buf,
MAX_BUFFER_SZ * sizeof (WCHAR),
&retLen);
…
ZwClose(hProcess);
-JG