Recent Posts

Tags

News

  • A blog about Microsoft Windows development, focused on kernel-mode driver development, the Windows DDK, WDK, and related tools.

    To elaborate on the copyright notice at the bottom: all content produced by me on this site is copyright and licensed as follows:

    <!-- Creative Commons License --> Creative Commons License
    This work is licensed under a Creative Commons License. <!-- /Creative Commons License --> <!-- <rdf:RDF xmlns="http://web.resource.org/cc/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <Work rdf:about=""> <dc:type rdf:resource="http://purl.org/dc/dcmitype/Text" /> <license rdf:resource="http://creativecommons.org/licenses/by-nc/2.0/" /> </Work> <License rdf:about="http://creativecommons.org/licenses/by-nc/2.0/"> <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> <permits rdf:resource="http://web.resource.org/cc/Distribution" /> <requires rdf:resource="http://web.resource.org/cc/Notice" /> <requires rdf:resource="http://web.resource.org/cc/Attribution" /> <prohibits rdf:resource="http://web.resource.org/cc/CommercialUse" /> <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> </License> </rdf:RDF> -->

    Although I work for Positive Networks, this work is my own and is not connected with my employer in any way.

    <!-- technorati again --> <script type="text/javascript" src="http://embed.technorati.com/embed/8xz8dihr.js"> </script>

Community

Email Notifications

Other Blogs

General

Technical Resources

About Me

Archives

Kernel Mustard

Reflections on Windows System Programming
Steve Dispensa, MVP - Windows DDK

Who's Asking: The Problem With IoGetRequestorProcess()

Last time I discussed how IoGetRequestorProcess() can get you where you want to go in some cases, if where you want to go involves finding out "who" originated an I/O request. See previous articles in this series if you're new to the discussion.

IoGetRequestorProcess works by examining the thread information encoded in the IRP. This information is typically set by the IO manager to reflect the thread in which the IRP was created. The problem, of course, is that not all IRPs will have the right info here:

  • No Process - It's entirely possible for IRPs to be created without any process information at all. Anyone who constructs his own IRPs from scratch will have the option of not setting thread context information on the IRP. I'm not sure if this is legal, but it's certainly possible.
  • System Process - Many IRPs created by the driver will be in the context of the system process. This is usually the case when a request is posted to a worker thread or a system thread. As I mentioned before, this is not an uncommon case in the presence of filter drivers, or really from within any device stack at all.
  • Wrong/Arbitrary Process - The most insidious case, of course, is when you find yourself with valid-looking but wrong data. This will clearly be the case if a driver above yours in the stack is called back in an arbitrary process context and decides to create an IRP. This can happen during the rundown of a DPC routine, for example.

So you see, we still seem to be high and dry here. Whatever is a driver to do?

I love cliff-hangers :-)

Posted: Nov 15 2004, 10:34 PM by Steve Dispensa | with no comments
Filed under:
Leave a Comment

(required) 

(required) 

(optional)

(required)