Startfilter using Timeout

Posted: 07/31/2016 14:37:36
by oliver bollmann (Standard support level)
I'm using StartFilter with timeout 1 minute, therefore: StartFilter(60000),
the filter works and ProcessCreationEvent is called every time an application starts which i added
with AddFilteredProcessByName,
but nothing happened after 1 minute, should the filter not stop after 1 minute?

It seems that Timeout value is ignored!

Use the processManager sample, start the filter with 60000 and change
in ProcessCreationEvent
CreatingProcessId <> GetCurrentProcessId to
CreatingProcessId = GetCurrentProcessId

using cmd to start notepad.exe and wait 1 minute, after that notepad can NOT started!
Posted: 07/31/2016 15:13:45
by Eugene Mayevski (Team)

Timeout doesn't mean "deactivate the filter after certain time".

What it means is if your user-mode code, which handles the callback / event, gets stuck for more than certain time, the kernel-mode driver won't wait forever, but will assume that the user-mode code completed its operation.

In other words, this timeout is a mechanism to prevent system locks.

