How to listen the Process for the resource usage?

TheMSsForum.com: The Microsoft Software Forum

Hi,

I am planning to write an kernel module for listening for the
create/modify/deleteion of resource like file/registry entry/etc by an
particular process. so can i use the KMDF dummy driver for this. Please
advise me if there is an another best method than using a dummy driver

Thanks
Kanagaraj M
Top

Re: How to listen the Process for the resource usage? by Don

Don
Mon Oct 08 05:40:21 PDT 2007

Well what are you monitoring? Lets break this down:

File Operations - You will need a file system filter driver. This is
probably best done with the "mini-filter" model. Note: KMDF cannot do this.

Registry Operations - You can do this with a simple legacy device driver (or
with KMDF). Since the driver does not do PnP or Power KMDF does not add a
lot of benefit.

Network Operations - You will need an NDIS Intermediate Driver.

I am not sure what else you are looking at, but basically for each major
type operations/devices you are probably going to need a seperate driver.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply


"kanagaraj manickam" <kanagarajmanickam@discussions.microsoft.com> wrote in
message news:056EBEDE-DAB4-496F-A25E-5DB5D364B838@microsoft.com...
> Hi,
>
> I am planning to write an kernel module for listening for the
> create/modify/deleteion of resource like file/registry entry/etc by an
> particular process. so can i use the KMDF dummy driver for this. Please
> advise me if there is an another best method than using a dummy driver
>
> Thanks
> Kanagaraj M


Top

Re: How to listen the Process for the resource usage? by kanagarajmanickam

kanagarajmanickam
Mon Oct 08 20:21:00 PDT 2007

Hi Don Burn,

Thanks

Let me define the requirement in detail,
In windows there is no way we could get the list of resources like file
sets/registry entries/etc for an given application. Because the installation
of an application varies for each application like using MSI, simple ZIP,
install anywhere, etc. so I am planning to write an tool that will help to
achieve it.

so i split the requirement in to 2 parts.
1. Monitor the installation of the application and create the resource list.
2. Monitor the application while its running and create the resource list.

To achieve this requirement, I am planning to do as below:
1. From the user mode, Create the Process for Installing/Runing the
particular application.
2. Pass that Process Id to the Kernel module
3. Kernel module should be able to create the resource list. I know only
kernel module that we could write is an driver. Please correct me if i am
wrong. you have suggested that for each kind of resource, i have to write
different driver with mini-filter model.

Would you please help me on how to write the mini-filter model for achieving
my requirement.
Also please advise me, If it is possible to hook an call-back method saying
"when ever THIS process touch ANY resource like file/registry/etc Please call
me"

Thanks
Kanagaraj M



"Don Burn" wrote:

> Well what are you monitoring? Lets break this down:
>
> File Operations - You will need a file system filter driver. This is
> probably best done with the "mini-filter" model. Note: KMDF cannot do this.
>
> Registry Operations - You can do this with a simple legacy device driver (or
> with KMDF). Since the driver does not do PnP or Power KMDF does not add a
> lot of benefit.
>
> Network Operations - You will need an NDIS Intermediate Driver.
>
> I am not sure what else you are looking at, but basically for each major
> type operations/devices you are probably going to need a seperate driver.
>
>
> --
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
>
> "kanagaraj manickam" <kanagarajmanickam@discussions.microsoft.com> wrote in
> message news:056EBEDE-DAB4-496F-A25E-5DB5D364B838@microsoft.com...
> > Hi,
> >
> > I am planning to write an kernel module for listening for the
> > create/modify/deleteion of resource like file/registry entry/etc by an
> > particular process. so can i use the KMDF dummy driver for this. Please
> > advise me if there is an another best method than using a dummy driver
> >
> > Thanks
> > Kanagaraj M
>
>
>
Top

Re: How to listen the Process for the resource usage? by ShivaP

ShivaP
Tue Oct 09 03:48:02 PDT 2007

Hi Kanagaraj,

You may use procmon.exe for all that you had mentioned unless you wanted to
develop a tool for yourself.

Procmon.exe from systinternals(now MS)

http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/processmonitor.mspx

you need to apply the filter to filter out the activity for your installer /
application.

But for network packet capture you need to have microsoft network monitor or
ethereal .

Shiv

Top

Re: How to listen the Process for the resource usage? by kanagarajmanickam

kanagarajmanickam
Tue Oct 09 20:27:00 PDT 2007

Thanks Shiv, Process Monitor doesn't solve my purpose as it does give only
the dll and other executable module and doesn't give all the resources like
config file which is belong to that process. so i am trying to write a tool
to fulfill my requirements.

"ShivaP" wrote:

> Hi Kanagaraj,
>
> You may use procmon.exe for all that you had mentioned unless you wanted to
> develop a tool for yourself.
>
> Procmon.exe from systinternals(now MS)
>
> http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/processmonitor.mspx
>
> you need to apply the filter to filter out the activity for your installer /
> application.
>
> But for network packet capture you need to have microsoft network monitor or
> ethereal .
>
> Shiv
>
Top