CallbackFilter.GetOriginatorProcessName method


Pascal    C++ (Lib)    C++ (VCL)    C++ (.NET)    C#    VB.NET   

CallbackFilter     See also    


Returns the name of the process that initiated the operation


    function GetOriginatorProcessName(var ProcessName : TCBString) : boolean;
    type TCBString = {$ifdef UNICODE}UnicodeString{$else}WideString{$endif};

[C++ (Lib)]
    bool GetOriginatorProcessName(LPWSTR ProcessName, LPDWORD ProcessNameLength);

[C++ (VCL)]
    bool __fastcall GetOriginatorProcessName(WideString &ProcessName);

[C++ (.NET)]
    bool GetOriginatorProcessName(String^% ProcessName);

    bool GetOriginatorProcessName(ref string ProcessName);

    Function GetOriginatorProcessName(ByRef ProcessName As String) As Boolean


  • ProcessName - on return this parameter contains the name of the process.
  • [C++ (Lib)]ProcessNameLength - the length of the buffer to store the name of the process.

Return values

TRUE / true if the function succeeded or FALSE / false if the function failed.


Use GetOriginatorProcessName to get the name of the process that originated the operation.

Call this method only from the callback / event handlers.

Do not call this method from handlers for OnReadFile*, OnWriteFile* and other callbacks that work with opened files, as that callbacks can be initiated by the system components (cache manager, memory manager etc.). Instead do the following:

  1. Call GetOriginatorProcessName from OnCreateFile or OnOpenFile event handlers / callbacks;
  2. Store obtained information somewhere and store the reference to this information in the UserContext;
  3. When you need to check the originator information in some file-related callback, access the stored information via UserContext

Network access
If you monitor shared disk, you might want to get the name of the remote process which accesses the disk. Unfortunately Windows doesn't provide such information due to the nature of the remote access.

See also

GetOriginatorProcessId     GetOriginatorToken