System and method for capturing kernel-resident information

US 7,302,613 B2
Filed: 11/12/2003
Issued: 11/27/2007
Est. Priority Date: 11/12/2003
Status: Expired due to Fees

First Claim

Patent Images

1. In a computer system having an operating environment including user mode modules having a first level of protection and kernel mode modules having a second level of protection, a method for consistently collecting information associated with the execution of a user mode module, the method comprising:

transmitting, by a requestor application, a request to collect kernel mode module information, wherein the request to collect kernel mode module information includes an identification of one or more executing process threads from which kernel mode information will be collected;

obtaining, by a kernel mode module, corresponding to a driver application external to the operating system, the request to collect kernel mode module information;

capturing, by the kernel mode module, information corresponding to each thread identified in the request to collect kernel mode module information;

transmitting, by the kernel mode module, a result of the capturing of the information corresponding to each thread identified in the request to collect kernel mode module information; and

receiving, by the requestor application, the result of the capturing of the information corresponding to each thread identified in the request to collect kernel mode module information.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and interface for consistently capturing kernel resident information are provided. An operating system architecture includes user mode modules and kernel mode applications. A user mode module initiates a kernel mode information request through an application program interface identifying one or more process threads of interest. A kernel mode module captures information corresponding to standard kernel mode information and corresponding to the specifically identified process threads. The information is returned in a pre-allocated buffer.

30 Citations

View as Search Results

27 Claims

1. In a computer system having an operating environment including user mode modules having a first level of protection and kernel mode modules having a second level of protection, a method for consistently collecting information associated with the execution of a user mode module, the method comprising:
- transmitting, by a requestor application, a request to collect kernel mode module information, wherein the request to collect kernel mode module information includes an identification of one or more executing process threads from which kernel mode information will be collected;
  
  obtaining, by a kernel mode module, corresponding to a driver application external to the operating system, the request to collect kernel mode module information;
  
  capturing, by the kernel mode module, information corresponding to each thread identified in the request to collect kernel mode module information;
  
  transmitting, by the kernel mode module, a result of the capturing of the information corresponding to each thread identified in the request to collect kernel mode module information; and
  
  receiving, by the requestor application, the result of the capturing of the information corresponding to each thread identified in the request to collect kernel mode module information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method as recited in claim 1, wherein the request to capture kernel mode module information includes an identification of a pre-allocated memory in which to store captured kernel mode information.
  - 3. The method as recited in claim 1, wherein the kernel mode module is an operating system resident application.
  - 4. The method as recited in claim 1 further comprising capturing, by the kernel mode module, a list of all loaded drivers.
  - 5. The method as recited in claim 1, wherein capturing information corresponding to each thread identified in the request to collect kernel mode module information includes:
    - (a) capturing a thread kernel stack; and
      
      (b) capturing all pending I/O request packet information; and
      
      (c) repeating (a)-(b) for each identified thread in the request to capture kernel mode module information.
  - 6. The method as recited in claim 5, wherein capturing all pending I/O request packet information includes:
    - (a) capturing an identification of all pending I/O request packets;
      
      (b) capturing current stack location for the identified I/O requests;
      
      (c) capturing device object information;
      
      (d) capturing file object information;
      
      (e) capturing driver object information; and
      
      (f) repeating (a)-(e) for each I/O request packet corresponding to a current thread.
  - 7. The method as recited in claim 5, wherein capturing information corresponding to each thread identified in the request to collect kernel mode module information is asynchronous.
  - 8. The method as recited in claim 1, wherein transmitting a result includes transmitting a status code corresponding to the success or failure of the information capture.
  - 9. The method as recited in claim 1, wherein transmitting a result includes storing the captured kernel mode module information in an allocated memory.
  - 10. The method as recited in claim 1, wherein transmitting a request to collect kernel mode module information occurs in response to a user mode module error.
  - 11. The method as recited in claim 1, wherein transmitting the captured kernel mode module information includes transmitting a status code corresponding to the success or failure of the information capture.
  - 12. A computer-readable medium having computer-executable instructions for performing the method recited in claim 1.
  - 13. A computer system having a processor, a memory and an operating environment, the computer system for performing the method recited in claim 1.

14. In a computer system having an operating environment including user mode modules having a first level of protection and kernel mode modules having a second level of protection, a method for consistently collecting information associated with the execution of a user mode module, the method comprising:
- obtaining a user mode module request to collect kernel mode module information including an identification of one or more executing process threads from which kernel mode information will be collected;
  
  wherein obtaining a user mode module request includes obtaining, by a driver application external to the operating system, the user mode module request;
  
  capturing information corresponding to each thread identified in the request to collect kernel mode module information; and
  
  transmitting the captured kernel mode module information.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The method as recited in claim 14, wherein the request to capture kernel mode module information includes an identification of a pre-allocated memory in which to store captured kernel mode information.
  - 16. The method as recited in claim 14, wherein obtaining a user mode module request includes obtaining, by an operating system resident application, the user mode module request.
  - 17. The method as recited in claim 14 further comprising capturing a list of all loaded drivers.
  - 18. The method as recited in claim 14, wherein capturing information corresponding to each thread identified in the request to collect kernel mode module information includes:
    - (a) capturing a thread kernel stack; and
      
      (b) capturing all pending I/O request packet information; and
      
      (c) repeating (a)-(b) for each identified thread in the request to capture kernel mode module information.
  - 19. The method as recited in claim 18, wherein capturing all pending I/O request packet information includes:
    - (a) capturing an identification of all pending I/O request packets;
      
      (b) capturing current stack location for the identified I/O request;
      
      (c) capturing device object information;
      
      (d) capturing file object information;
      
      (e) capturing driver object information; and
      
      (f) repeating (a)-(e) for each I/O request packet corresponding to a current thread.
  - 20. The method as recited in claim 18, wherein capturing information corresponding to each thread identified in the request to collect kernel mode module information is asynchronous.
  - 21. A computer-readable medium having computer-executable instructions for performing the method recited in claim 14.
  - 22. A computer system having a processor, a memory and an operating environment, the computer system for performing the method recited in claim 14.

23. A computer system having a processor, a memory, and an operating environment, the operating environment including user mode modules having a first level of protection and kernel mode applications having a second level of protection, the system comprising:
- a driver application comprising a processing component for capturing kernel mode module information corresponding to one or more executing processing threads identified in a request to collect kernel mode module information; and
  
  at least one application program interface for accessing the processing component and identifying the one or more executing processing threads from which to collect kernel mode module information; and
  
  wherein the kernel mode module information includes a thread kernel stack and all pending I/O request packet information for each identified process thread; and
  
  wherein all pending I/O request packet information includes an identification of the pending I/O request packet, a current stack location, device object information, file object information and driver object information for each identified I/O request packet corresponding to an identified process thread.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The system as recited in claim 23, wherein the at least one application program interface is further operable to identify a pre-allocated memory to received captured kernel mode module information.
  - 25. The system as recited in claim 23, wherein the processing component is embodied as an operating system resident application.
  - 26. The system as recited in claim 23, wherein the kernel mode module information includes a list of all loaded drivers.
  - 27. The system as recited in claim 23, wherein the process component captures the kernel mode module information asynchronously.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Clift, Neill M., Meng, Yi, Ganapathy, Narayanan, Service, John D., Bliss, Andrew L.
Primary Examiner(s)
MCCARTHY, CHRISTOPHER S

Application Number

US10/712,619
Publication Number

US 20050102578A1
Time in Patent Office

1,476 Days
Field of Search

714/38
US Class Current

714/38.11
CPC Class Codes

G06F 11/3476 Data logging G06F11/14, G06...

System and method for capturing kernel-resident information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for capturing kernel-resident information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links