How can we or windows identify or differentiate kernel processes and user/application processes. Based on meta data of process, flags in process table or other.
Asked
Active
Viewed 679 times
1 Answers
3
All drivers run in a single kernel process along with the rest of the kernel.
Process id 0 is the "idle process" and process id 4 (on XP and later) is the kernel "process". If you are in kernel mode you can probably detect the various types by looking at the KPROCESS (not stable across versions). You cannot OpenProcess the kernel process in user-mode because it is not a normal process.
If you want to detect a Pico/Drawbridge process I have seen claims that SYSTEM_PROCESS_INFORMATION::HandleCount is 0 in them.
I would recommend the Windows Internals books for more information about the Windows kernel design.
Anders
- 97,548
- 12
- 110
- 164