I am developping a registry filtering driver which monitors and block some operations on some registry keys. Everything is working fine but I would like also to get the id of the process that triggered the callback, I mean the process that tried to perform the registry operation. Is there a way I can do that?
From the callback I have the NotifyClass, which gave me the pointer to the object key. By using ObOpenObjectByPointer, I also could get the HANDLE to the key being operated on.
I tried to use ObReferenceObjectByHandle and get a PEPROCESS which I can use in PsGetProcessId, but I guess it is not right because it did not give the pid.
I also made a lot of research but could not find that much helpfull answers.
From the documentation:
A RegistryCallback executes at IRQL = PASSIVE_LEVEL and in the context of the thread that is performing the registry operation.
Thus you can use PsGetCurrentProcessId() to obtain the process ID.