Hi Serpent,
What if I have to get the Full ImagePathName of other processes in the system.
On XP and 2003 I m able to get the Full ImagePathName from SeAuditInformationInfo struture of EPROCESS block.
But on 2000 there is no structure like that…
Yes there is last field EPROCESS block which points to a UNICODE_STRING which gives me the FullPathName , but still I am not able to get the Drive Letters form there.
I had one more query ,what does DEVICEMAP field in EPROCESS strucure signify…?
Does this strucure contains any information abt Drive mapping and all.
Please reply asap , As I m reaching deadline for my college project.
Kind Regards
Deepak Gutpa