EldoS | Feel safer!

Software components for data protection, secure storage and transfer

CallbackFilter: Getting the process ID of the originating process

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#5933
Posted: 04/18/2008 16:58:45
by Alexander Wallisch (Basic support level)
Joined: 04/17/2008
Posts: 2

I am attempting to use CallbackFilter to get a unique identifier to a process that opens a file for read or for write. It looks like CallbackFilter does most of what I need, but there are two issues I have not yet been able to figure out.

1) OnReadFileN and OnWriteFileN don't seem to trigger reliably. In a sample I wrote, I set a read filter and a write filter on a directory, then opened text files in this directory for read or write by a variety of programs. Opening the file never triggered the read notify event, and only triggered the write notify event in a a few editors (the event was triggered in notepad and in Visual Studio, but not in notepad++ or SlickEdit). Furthermore, even when the write notify was triggered by notepad, GetOriginatorProcessName gave me back an empty string for the process name. Is there a reliable way to use the filter to always receive notification on read or write?

2) I also attempted to write to the same file from multiple instances of Visual Studio. However, calling GetOriginatorProcessName gave me back the same name string for both instances. It is important to my use of CallbackFilter that I be able to discern between multiple instances of the same process. Is there any way to get the process ID or some other unique identifier for the process?

Thanks in advance for any help.
#5934
Posted: 04/19/2008 03:28:57
by Eugene Mayevski (EldoS Corp.)

1) It looks like those editors read the data via memory mapping. This is a bad approach, but it's widely used. In this case it's system component (memory manager) that actually reads the data.
We will work on this issue, however, in order to change this behaviour if possible.

2) Yes, we will extend the functionality of GetOriginatorProcessName.


Sincerely yours
Eugene Mayevski
#5964
Posted: 04/21/2008 15:39:46
by Alexander Wallisch (Basic support level)
Joined: 04/17/2008
Posts: 2

Quote
Eugene Mayevski wrote:
1) It looks like those editors read the data via memory mapping. This is a bad approach, but it's widely used. In this case it's system component (memory manager) that actually reads the data.
We will work on this issue, however, in order to change this behaviour if possible.


One solution I could use that would potentially work for my needs is to create a callback for OnCreateFileN. Since all memory mapped I/O must be preceded by a call to CreateFile, this should catch all file access (I only need to know when a file is opened for read or write, not when these reads or writes actually occur). Unfortunately, the OnCreateFileN event doesn't provide any information about the permissions that the file was created or opened with. Is there any way to determine whether a file was opened for read or opened for write?

The other issue this has is that OnCreateFileN generates a ton of false positives. Creating a file in Explorer generates two OnFileCreateN events from the file manager. Writing to it from notepad generates several OnFileCreateN events from different sources as well as an OnFileWriteN event. Occasionally, svchost.exe generates OnFileCreateN events just for the heck of it (perhaps it's some sort of file indexing service?). I wouldn't be surprised if it's just the case that Windows calls CreateFile all over the place whenever it does file I/O, but this makes it difficult for me to accurately determine when a file is opened and which process did the opening.
#5965
Posted: 04/21/2008 15:51:26
by Eugene Mayevski (EldoS Corp.)

Quote
Alexander Wallisch wrote:
Creating a file in Explorer generates two OnFileCreateN events from the file manager. Writing to it from notepad generates several OnFileCreateN events from different sources as well as an OnFileWriteN event.


This will be fixed.

Quote
Alexander Wallisch wrote:
Unfortunately, the OnCreateFileN event doesn't provide any information about the permissions that the file was created or opened with. Is there any way to determine whether a file was opened for read or opened for write?


It can be the known problem when Explorer reads the files to obtain thumbnails. We will investigate this as well.


Sincerely yours
Eugene Mayevski

Reply

Statistics

Topic viewed 5320 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!