Skip to main content

 none
Process events Monitoring using WDK 10.X RRS feed

  • Question

  • Hi Friends,

    I have been using DDK driver to monitor windows file systems & windows process events in my product. Recently I have migrated my product to use WDK 10.x to monitor later version of windows 10 + versions. After migrating to wdk 10.x I am able to monitor file system events. But not able to monitor Windows process events.

    FilterSendMessage() method returns 0 events. This was not the case with older driver.

    Can you please suggest if there is a difference in usage of the new WDK driver or it monitoring process events supported in WDK driver.


    karthick Prathap Singh

    Tuesday, November 12, 2019 8:20 AM

Answers


  • Hi Tim,

    Thanks for your response. We were using DDK for older version of windows. As DDK doesn't work on windows 10 and later version of  OS, we upgraded the code the consume WDK driver kit. Post that upgrade, we found that non of the process specific events were captured.

    Later we found that, it was failing as we did not have linker flag '/INTEGRITYCHECK ' on the project settings. Once we add this setting, it started working fine. We started getting events for process operations as well.


    karthick Prathap Singh

    Monday, November 18, 2019 8:24 AM

All replies

  • The WDK doesn't change how kernel APIs work.  FilterSendMessage is part of the operating system, not part of the WDK.  The call goes to the same place no matter which WDK you're using.

    Are you saying that FilterSendMessage worked ON Windows 10 when built with an old DDK, but does not work ON Windows 10 when build with the latest WDK?  Or are you saying that FilterSendMessage worked for you in older systems, but doesn't work in Windows 10?  That's two completely different issues.

     

    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Wednesday, November 13, 2019 8:12 AM

  • Hi Tim,

    Thanks for your response. We were using DDK for older version of windows. As DDK doesn't work on windows 10 and later version of  OS, we upgraded the code the consume WDK driver kit. Post that upgrade, we found that non of the process specific events were captured.

    Later we found that, it was failing as we did not have linker flag '/INTEGRITYCHECK ' on the project settings. Once we add this setting, it started working fine. We started getting events for process operations as well.


    karthick Prathap Singh

    Monday, November 18, 2019 8:24 AM
  • additional reference:

    https://stackoverflow.com/questions/20502929/process-monitoring-createprocessnotifyroutineex


    karthick Prathap Singh

    Monday, November 18, 2019 8:34 AM