My Net Event never contains AppID RRS feed

  • Question

  • I have a test application that creates filters and then enumerates all the net events that pass through those filters while the application is running.

    It works fine except that the AppID in the header is always nothing.  When I run the debugger I can see that everything is present in the header except userID and AppID.  The userID I figured was missing because I never setup ACL. 

    I am thinking that maybe this information won't be present at certain layers?  For example I am using the INBOUND TRANSPORT V4 and V6 layers. 

    I will post my code if you think it will help I just don't want to clog up the post with a hundred line wall of text :D

    My machine is running 64 bit Windows Vista Business.  Visual Studio 2005.  Windows SDK 7.1.  Windows Driver Kit

    Thank you again for any insight.

    Thursday, August 30, 2012 5:05 AM


All replies

  • Hi,

    Application path is available only at ALE layers. See Metadata Fields at Each Filtering Layer.

    If you need application path at TRANSPORT, one option is to record the path at ALE layer and associate it to flow context, which is available at TRANSPORT. See Associating Context with a Data Flow.

    -- Antti

    Thursday, August 30, 2012 8:21 AM
  • Antti is correct, you will only have those in events for layers that have them available by default.

    Hope this helps,

    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights

    Thursday, August 30, 2012 3:34 PM
  • Thank you I must of missed the metadata list for each filtering layer.  Very helpful.

    Just so everyone know it's listed in the Driver Kit Windows Filtering Platform Callout documentation,  not the regular Windows Filtering Platform Windows Development MSDN documentation.
    • Edited by Ritual Thursday, August 30, 2012 7:23 PM
    Thursday, August 30, 2012 4:47 PM