none
process termination notification in drivers RRS feed

  • Question

  • I need to get notification in a KMDF driver when processes go down. I do not want to usePsSetCreateProcessNotifyRoutine because that gives me notification for every process that is created or destroyed. I would like to know/get notification only when certain process ID's which i am interested in are destroyed/exit/deleted. (I don't care about process creations).

    One way I thought of doing this would be to share an application created event with the driver. I will create a worker thread(PsCreateSystemThread) in the driver and make it wait on the user created event(after doing ObReferencexxxx), and when the application terminates, the wait will abort(Tried but this does not seem to work). Is this a good way to know when the process is terminated/closed or are there more standard ways of doing this? I have read on some forums that sharing events is not a good idea and that i should use overlapped ioctls, but that wont work here obviously.

    I need this because i have to do some per process clean up when a process terminates and my driver will be interested in a big list of processes so i do not want to search through a list to see if i am interested or not. 

    • Moved by Eric Hanson-MSFTModerator Wednesday, September 19, 2012 1:11 AM moving to proper forum (From:Tailoring your Windows Store app for hardware and devices )
    Tuesday, September 18, 2012 3:02 PM

Answers

  • What you are doing waiting on the process will work, of course if you do that and don't clean up the reference (I don't sse this in your steps) you are creating zombie processes that still have resources and slowly mess up the system.  Also, a system thread and all the overhead you are doing is many times more costly than use the PsSetXXX model.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    • Marked as answer by R__K Wednesday, September 19, 2012 12:02 PM
    Wednesday, September 19, 2012 1:26 AM

All replies

  • This is what i did: Can anybody see a problem with this method?

    1)Used ZwOpenProcess with process ID to get a handle to the process.

    2)Used ObReferenceObjectByHandle with the process handle to get a dispatcher object.

    3)Created a System thread using PsCreateSystemThread and passed in the dispatched object.

    4)Made the system thread created in the above step to wait on the dispatched object using KeWaitForSingleObject.

    5)Terminated the process programmatically or caused an exception and simply closed it using the X gui button. All of them woke the system thread created.

    6)Clean up reference to dispatched object and terminate system thread.

    This essentially gives me notification when processes of interest terminate.



    • Edited by R__K Wednesday, September 19, 2012 11:59 AM forgot cleanup.
    Tuesday, September 18, 2012 9:42 PM
  • What you are doing waiting on the process will work, of course if you do that and don't clean up the reference (I don't sse this in your steps) you are creating zombie processes that still have resources and slowly mess up the system.  Also, a system thread and all the overhead you are doing is many times more costly than use the PsSetXXX model.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    • Marked as answer by R__K Wednesday, September 19, 2012 12:02 PM
    Wednesday, September 19, 2012 1:26 AM
  • Thanks for the response Donald. I do clean up the reference before i terminate the system thread. I will try to get some data on the cost of both methods but i do agree with you that the cost of this method is probably a lot more than PsSetXXX. Realized this after implementing it. 
    Wednesday, September 19, 2012 12:02 PM