Identifing system processes.

The task manager shows different processes as belonging to the system or to
a user. I guess (correct me if I'm wrong) that the user mode processes that
belong to the System are services. What I'd like to know is how do I
identify the owner of a process.

For example in the kernel during IRP_MJ_CREATE, I can do
PsGetCurrentProcess() or PsGetCurrentProccessId(). But now how do I go from
the Object or the handle to the information I need?

Thanks

Have a user space helper app you use to get that data. Trying to do it in
the kernel is just not worth it.

--
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply



"GAK" <> wrote in message
news:...
> The task manager shows different processes as belonging to the system or
> to a user. I guess (correct me if I'm wrong) that the user mode processes
> that belong to the System are services. What I'd like to know is how do I
> identify the owner of a process.
>
> For example in the kernel during IRP_MJ_CREATE, I can do
> PsGetCurrentProcess() or PsGetCurrentProccessId(). But now how do I go
> from the Object or the handle to the information I need?
>
> Thanks
>
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 4591 (20091110) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>



__________ Information from ESET NOD32 Antivirus, version of virus signature database 4591 (20091110) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com