Getting the right PID during ALE Listen or Accept callouts RRS feed

  • Question

  • Hi forum,

    I have a WFP driver filter, which registers several ALE Classify callouts, mainly for detecting inbound and outbound connections: FWPM_LAYER_ALE_AUTH_CONNECT_V4, FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4, FWPM_LAYER_ALE_AUTH_LISTEN_V4 and so on.

    In these callouts, I am getting the process id by querying the metadata FWPS_METADATA_FIELD_PROCESS_ID, and it works fine, most of the time. However, I have noticed (on RECV_ACCEPT and LISTEN callouts) that frequently the pid that I receive is 4 (system process), instead of the process that is carrying the listen or accept operation. But in this situation, PsGetCurrentProcessId() hands me the right process id.

    I also tried to go "earlier" and see what PID would I get during the RESOURCE_ASSIGNMENT callout, and for these cases, the process id is also 4, so there is a match between the resource assignment PID and the listen and accept operations' PID.

    So, is this the expected behavior of WFP? Is there any way of getting the ID for the process that accepts the connection, instead of system process?

    Update: QA reports say that the problem does not appear in Win8, is it a bug now fixed? Does MS provides any hotfix for it?

    Thanks a lot in advance!

    Monday, October 8, 2012 8:24 AM