Re: How to get Parent Pid from Kernel Driver?

From: "anton bassov"<xxx@xxxxxxx>
Date: Thu, 20 Apr 2006 09:49:50 -0500

Hi mate

First of all, parent/child relationship is rather weak under Windows.
Therefore, as Skywing pointed out, PID may get re-used, so that any info
that you can obtain on the subject is not 100% reliable.

Now let's proceed to the actual task. As you can see, I often recommend
undocumented and "unsupported" things. However, using such structures as
ETHREAD and EPROCESS is not among them - as practice shows, MSFT changes
them a bit too often.

What you did is totally wrong way of doing things - a system upgrade is more
than likely to break your code. You can try to obtain a parent PID via
NtQueryInformationProcess()with infoclass ProcessBasicInformation -
InheritedFrom field of ProcessBasicInformation structure is, in actuality,
parent PID. Although NtQueryInformationProcess()is undocumented function,
such approach is much more stable than accessing EPROCESS.

Regards

Anton Bassov
.

Follow-Ups:
- Re: How to get Parent Pid from Kernel Driver?
  - From: Don Burn
- Re: How to get Parent Pid from Kernel Driver?
  - From: macro

References:
- Re: How to get Parent Pid from Kernel Driver?
  - From: macro

Prev by Date: Re: Re:FreeLibrary and Upcall Table
Next by Date: Re: Calling _exit() in an UnhandledExceptionFilter()-function
Previous by thread: Re: How to get Parent Pid from Kernel Driver?
Next by thread: Re: How to get Parent Pid from Kernel Driver?
Index(es):
- Date
- Thread

Relevant Pages

Re: Killing a process that takes too long
... You may instead use fork and exec; this lets you use the process-ID to ... kill 'INT', $pid; ... and it does not guarantee that the child ... So we need a way to kill several processes of the process group of the parent, ...
(perl.beginners)
Non-random PIDs
... new process ID's, in the way that OpenBSD does. ... I'm the child and my pid is 21116. ... I'm the parent and my pid is 21115. ...
(RedHat)
Re: optimize log parsing
... >> Hey Xho, I tried this: ... >> for the constructor is 0 then, assuming you're in the child process, ... >> called after the successful startup of a child in the parent process. ... >> - pid of the process which has been started ...
(comp.lang.perl.misc)
Re: [PATCH 2.6.11-rc3-mm2] connector: Add a fork connector
... connector in the kernel/fork.c:do_forkroutine. ... information about parent PID and child PID over a netlink interface. ...
(Linux-Kernel)
Re: How to get Parent Pid from Kernel Driver?
... Therefore, as Skywing pointed out, PID may get re-used, so that any info ... You can try to obtain a parent PID via ... NtQueryInformationProcesswith infoclass ProcessBasicInformation - ... Anton Bassov ...
(microsoft.public.win32.programmer.kernel)