Is there a way to check if a process is csrss.exe in a driver without checking the entire path? Some tools like Kernel Detective display this, I was wondering if it is just based on file path or if there is a faster way.
A forum for reverse engineering, OS internals and malware analysis
Set process notify routine and on reboot catch csrss start. Then you can also catch any other csrss that can be spawned (Vista+). If you take a look on Kaspersky open-source AV you will find they didn't managed to do anything smart except ZwQuerySystemInformation, RtlCompareUnicodeString "csrss.exe" or looking for Api port. No simple way to achieve what you asking.
Ring0 - the source of inspiration
