Driver Introspection with DriverMon

Saturday, November 18, 2017

In the past few weeks I've been working in my non-existent spare time on DriverMon - a driver monitoring tool for Windows. The tool is far from complete, but it's already quite useful. In this post I'll describe how to use it and some of the challenges of building such a tool. Initially I wanted to be able to track every I/O Request Packet (IRP) targeted to monitored devices. The term "devices" here is important, as the Windows I/O system is device-centric rather than driver-centric. That is, requests are delivered to devices, not drivers. A device can be thought of...
no comments

Enumerating Job Objects

Saturday, June 17, 2017

Job objects have been around since Windows 2000, providing a convenient way to set limits and otherwise manage a set of processes. Up until Windows 8 job objects were used sparingly, because a process could only be associated with a single job at most. That would mean an application wanting to set some limits on a process it does not create explicitly had no way of knowing whether that process was already part of a job. If it were, assigning it to another job would simply fail. Starting with Windows 8, jobs can be nested, effectively creating a job hierarchy...
no comments

Getting rid of the Start button – Adding a Hook

Monday, September 16, 2013

In the previous post we saw how to find and remove the start button and move the task bar window to the left to occupy the free space left by the former start button.However, we saw that by opening the system tray, the task bar moves back to its original position. We need to know when that happens, and then use the same trick to move it back to the “right” position.To do that we would need to register somehow for the WM_MOVE message. This is one option, and we can verify this using Spy++’s Message window for task...

Getting rid of the Start button in Windows 8.1

Sunday, September 15, 2013

Windows 8.1 brings back the famous Start button, but alas – it’s not the good Start button from Windows 7. It’s just yet another way to get to the new Home screen. This makes the Start button (at least for me) completely useless, as there are already several ways to get to the Home screen (Windows key on the keyboard, mouse moved to the bottom left corner, touch devices can press the hardware Start button, the Charms bar has a Start button…).There are utilities that can simulate the old Windows 7 Start button, if I don’t have such a...

Interpreting a Handle’s Access Mask

Monday, August 19, 2013

When opening a handle to a kernel object with some Open* Windows API function (e.g. OpenProcess, OpenThread, OpenEvent, …) an access mask must be specified, indicating the type of access requested from the resulting handle. Requiring too much access may cause the call to fail, so a best practice is to require the only access flags that are needed to get the job done.For example, suppose we want to know when a running process terminates. This requires obtaining a handle to the process in question and calling WaitForSingleObject on that handle. For this, only the SYNCHRONIZE access is required: HANDLE...

My first PluralSight course has been published!

Thursday, August 8, 2013

In the last few months, I’ve been working on a course for PluralSight. Creating a video course is not easy, as I found out first hand. In fact, it’s more difficult than writing a book. With a book, I can change a sentence or a paragraph, at any time and any place. A video course is different… changes are hard, and recording sessions cannot be done just anywhere. But I’ve learned a lot from the experience, which should make next courses a bit easier…My first course is about a favorite subject of mine, Windows Internals. This deals with the...

Kernel debugging with a Hyper-V virtual machine

Tuesday, June 25, 2013

One of the best ways of investigating the way Windows works is through a kernel debugger. Windows supports a local kernel debugging mode that can be activated in one of two ways:Setup windows to run in local debugging mode by running bcdedit /debug on from an elevated command prompt and then restart. Finally, run WinDbg and select File / Kernel Debug… from the menu and then select the Local tab and click OK:The main downside here is the need for restart, and more subtly – some apps behave strangely when the debug flag is on.2. Use the LiveKD tool...
no comments

Reminder: WPDUG September Meeting

Sunday, September 4, 2011

This Wednesday (the 7th) will hold a Windows Platform Developer User Group meeting in Microsoft’s offices in Ra’anana (Israel). Our first session will be about adding realtime and deterministic capabilities to Windows and its impact on the system and the ways to program such a system (all based on addons by a company called TenAsys). The second session will demonstrate useful (and undocumented) debugging tips and tricks in Visual Studio (primarily for native developers). Should be interesting for all you Visual C++ developers, and others interested in low level coding. Use this link to...

GetShellWindow vs. GetDesktopWindow

Saturday, June 18, 2011

In his post about running a process as a standard user from an elevated process, Aaron Margosis uses a technique that gets the access token of the shell process (typically explorer.exe) and uses that token to launch the new process (Sasha Goldshtein also blogged about that). The first thing his code does is try to locate the shell process id. One way is to look for “explorer.exe” in the list of processes, but that’s a bit limiting, as there may be a different shell, or it may have been renamed for whatever reason. His code calls GetShellWindow to...
no comments