SpecialRequests

Special Requests

Most request types used by IRPMon exactly matches various of driver-to-driver, in-driver or application-driver communication. However, several request types are used internally by IRPMon and are not generated on behalf of any direct event. Current version supports four such types:

• Driverdetected. This event signals that the IRPMon driver probably got its hands to a driver that was probably just loaded into the kernel. Such drivers are usually detected during processing of AddDevice requests. The IRPMon application uses this event to map new driver objects to their names.
• DeviceDetected is generated when the IRPMon driver finds a device previously unknown to it and which belongs to a driver being monitored. The IRPMon application uses this event to create mapping between the detected device object and its name.
• ProcessCreated reports that a new process has just been launches. The driver informs about its PID, parent PID, image file name and command line. The event is generated only on Windows Vista and newer systems.
• ProcessExitted informs about process termination. It is generated only on Windows Vista and newer Windows versions.

All of these events may also been created artificially by the IRPMon application. This usually takes place when request monitoring starts. When put in the beginning of a binary log file, these events preserve address-to-name mappings even when the log is opened on different system or after a reboot.