none
How to get system process handle? RRS feed

  • Question

  • How to get system process handle (to use for instance in ZwMapViewOfSection when it is called in the context of other process)?

    I tried

    CLIENT_ID clientId;
    clientId.UniqueProcess = PsGetCurrentProcessId();


    status = ZwOpenProcess(&filterData.SystemProcess,
    READ_CONTROL,
    &oa,
    &clientId);

    (in driver entry that is called in system process - invalid client id)

    Also i tried to pass PsGetProcessId(PsInitialSystemProcess) to handle value with no success.


    • Edited by The Brans Friday, July 11, 2014 5:27 PM corection
    Friday, July 11, 2014 5:26 PM

Answers

  • Well the normal way to do this as I have pointed out before is for you to manage this stuff yourself.  Going through system paging for something in the storage stack, is not a wise idea, at best it leads to unpredictable peformance, at worst to deadlocks.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Friday, July 11, 2014 7:38 PM

All replies

  • Use PsGetCurrentProcess to get the process object, then ObOpenObjectByPointer.  The bigger question is why do you feel you need to ZwMapViewOfSection to the kernel process in the first place?


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Friday, July 11, 2014 5:54 PM
  • I write continious backup file filter. If you remember, i talked sometimes ago to you, that i want to use bitmap mapped to file to track file changes. Now i am using not public 
    MmMapViewInSystemSpace to map file backed bitmap in system space, that is availible everywhere. All works despite the fact that i found that
    some api's not are not friendly with MmMapViewInSystemSpace. Like ZwFlushVirtualMemory(that checks that memory in not in user range and returns error) and 
    Zwallocatevirtualmemory. 

    Found workaround, all works. Nevertheless i want to make all clean and use ZwMapViewOfSection with handle to system process 
    to map memory to system process user space. System process is allways available, alsoit is not restarted like user processes.

    • Edited by The Brans Friday, July 11, 2014 7:39 PM
    Friday, July 11, 2014 7:31 PM
  • Well the normal way to do this as I have pointed out before is for you to manage this stuff yourself.  Going through system paging for something in the storage stack, is not a wise idea, at best it leads to unpredictable peformance, at worst to deadlocks.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Friday, July 11, 2014 7:38 PM
  • Thank you for advice! But for now all working. So don't see sense to improve thing that is working well. I will test perfomance carefully! Or after first strange deadlock will add manual managment
    Friday, July 11, 2014 8:17 PM