Prosecution Insights
Last updated: April 18, 2026
Application No. 18/081,144

TECHNIQUES FOR TRACKING PROCESS ACTIVITY

Final Rejection §103
Filed
Dec 14, 2022
Examiner
EWALD, JOHN ROBERT DAKITA
Art Unit
2199
Tech Center
2100 — Computer Architecture & Software
Assignee
Crowdstrike Inc.
OA Round
2 (Final)
76%
Grant Probability
Favorable
3-4
OA Rounds
3y 5m
To Grant
99%
With Interview

Examiner Intelligence

Grants 76% — above average
76%
Career Allow Rate
16 granted / 21 resolved
+21.2% vs TC avg
Strong +56% interview lift
Without
With
+55.6%
Interview Lift
resolved cases with interview
Typical timeline
3y 5m
Avg Prosecution
24 currently pending
Career history
45
Total Applications
across all art units

Statute-Specific Performance

§101
11.1%
-28.9% vs TC avg
§103
56.6%
+16.6% vs TC avg
§102
13.1%
-26.9% vs TC avg
§112
13.9%
-26.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 21 resolved cases

Office Action

§103
DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment The amendment filed on 12/29/2025 has been entered. Claims 1-20 remain pending in this application. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-4, 8-11, and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Jadhav et al. (US Pub. No. 2024/0086558 A1 hereinafter Jadhav) in view of Fournier (US Patent No. 11,709,720 B1). As per claim 1, Jadhav teaches a method comprising: generating, in a kernel space of an operating system on a computing device, a unique process identifier (UPID) that is distinct from, and associated with a process identifier (PID) of a process executing in the operating system (¶ [0044]-[0045], “In accordance with the present disclosure, when a process that entered the kernel space 204A is determined, by the processor 202, as embodying a ‘process path-kernel system call’ pair matching an entry in the ‘eBPF process filter map,’ then the processor 202 elicits at least a unique process ID (PID), a unique process namespace ID (PID_ns), and an event pointer corresponding to such a process…According to the exemplary ‘eBPF task map’ illustrated hereinabove, two processes referenced by PIDs ‘1213’ and ‘4312’ are shown as having entered the kernel space 204A and as embodying respective ‘process path-kernel system call’ pairs that matched any of the entries incorporated within the ‘eBPF process filter map. In accordance with the present disclosure, the processor 202 triggers the eBPF kernel module 206 to configure the ‘eBPF task map’ such that the information (i.e., PID, PID_ns, and event pointer) stored in the ‘eBPF task map’ is transmissible only within the kernel space 204A. In this manner, the processor 202 triggers the eBPF kernel module 206 to isolate the ‘eBPF task map’ from the user space 204B and therefore eliminates or at the least minimizes the context-switching between the user space 204B and kernel space 204A, at least during the in-kernel instrumentation of the said process.” See also paras. 0041-0043 and 0057-0060.) and inserting the UPID into a first mapping store that maps the PID to the UPID (¶ [0047], “In accordance with the present disclosure, subsequent to triggering the eBPF kernel module 206 to create the ‘eBPF task map’ and populate the ‘eBPF task map’ with the process ID (PID), the process ID_namespace (PID_ns), and the event pointer corresponding to the process that entered the kernel space 204A and embodied a ‘process path-kernel system call’ pair matching an entry in the ‘eBPF process filter map,’ the processor 202 triggers the eBPF kernel module 206 to create an ‘eBPF event map.’” ¶ [0057]-[0059], “In accordance with the exemplary embodiment of the present disclosure, the ‘PID’ or the ‘PID_ns’ could be used as a primary key within the ‘eBPF task map’ and as a foreign key within the ‘eBPF event map’ such that every process identified by a corresponding ‘PID’ and/or ‘PID_ns’ in the ‘eBPF task map’ is associated with a corresponding ‘kernel system call’ listed within the ‘eBPF event map’…Likewise, the processor 202 utilizes either the unique process ID (PID) or the unique process namespace ID (PID_ns) as a foreign key within the ‘eBPF event map’ and programmatically interlinks every process described within the ‘eBPF task map’ with the corresponding kernel system calls and kernel system call parameters (also referred to as process-related parameters) described in the ‘eBPF event map,’ based on the unique process ID (PID) or the unique process namespace ID (PID_ns).”). Jadhav fails to teach updating a second mapping store located in the user space that maps UPID to PID. However, Fournier teaches updating, in a user space of the operating system, a second mapping store that maps the UPID to PID (Col. 11, lines 14-33, “There are several options for communicating with the kernel space (e.g., reading data from the kernel space) from the user space…A third option includes generating an event data indexed cache in memory (e.g., in the user space) for communal write access for each of the kernel space and user space. A process in the user space can find event data by accessing the event data cache 124 based on a protocol that specifies wherein the event data cache 124 the kernel space stores the data of the kernel event 210. Conversely, a process in the kernel space can find a span ID, trace ID, etc. for associating with a kernel event by accessing the cache at a location specified by the protocol.” Col. 13, lines 3-17, “A third option for communication between the user space and kernel space includes a process in which the kernel space is configured to access a cache established in the user space for storing thread data such as span identifiers (span IDs), trace identifiers (trace IDs), coroutine identifiers (coroutine IDs), and coroutine context data. This is called user space memory access by the kernel space. The cache stores, for each thread related to a kernel event, the thread's extended process context. The extended process context includes a set of identifiers that uniquely identifies a given execution thread. In some implementations, for languages that implement coroutines, the set of identifiers includes a process ID (PID), thread ID (TID), and coroutine ID. For other languages, (PID, TID) provide enough information to identify the thread.”). Jadhav and Fournier are considered to be analogous to the claimed invention because they are in the same field of inter-process communication. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Jadhav to include the event data cache of Fournier to arrive at the claimed invention. The motivation to modify Jadhav with the teachings of Fournier is that the event data cache of Jadhav enables communication between the user space and kernel space while minimizing overhead and the amount of time the user space has to reach out to the kernel space to gather process context/information (See Col. 13, lines 40-50.). Fournier also teaches transmitting, by a processing device, a message comprising the PID to a message buffer structure (Col. 14 & 15, lines 29-67 & 1-11, “he APM tracer application generates a pointer to a buffer (e.g., of 257 bytes). The pointer includes an OP code of 1 byte. In some implementations, the OP code specifies SPAN_ID_OP=3. The buffer (e.g., of 256 bytes) includes the RPC data. Specifically, the buffer includes a secret token (e.g., 8 bytes) for security, as subsequently described. The buffer includes the span ID (e.g., 8 bytes). The buffer includes the trace ID (e.g., 8 bytes). The buffer includes the coroutine ID (e.g., 8 bytes if included or 0 bytes if there is no coroutine). The buffer includes a coroutine context type (e.g., 1 byte). The buffer includes custom coroutine context data (e.g., up to 223 bytes)…In the kernel space, a Kprobe on the chosen system call 308 (e.g., ioctl syscall) parses a request and stores the span ID and trace ID in the buffer in the Span IDs mapping table 302 (e.g., a Least Recently Used (LRU) hash map). The mapping table 302 is indexed by the coroutine ID and, depending on the language defined by the coroutine context type, the Thread ID or the Process ID, as previously described.”). As per claim 2, Jadhav and Fournier teach the method of claim 1. Jadhav also teaches generating the UPID responsive to detecting a creation of the process in the kernel space of the operating system (¶ [0044], “In accordance with the present disclosure, when a process that entered the kernel space 204A is determined, by the processor 202, as embodying a ‘process path-kernel system call’ pair matching an entry in the ‘eBPF process filter map,’ then the processor 202 elicits at least a unique process ID (PID), a unique process namespace ID (PID_ns), and an event pointer corresponding to such a process.”). As per claim 3, Jadhav and Fournier teach the method of claim 1. Jadhav also teaches wherein the first mapping store comprises a memory structure shared between kernel space and the user space of the operating system (¶ [0046], “In accordance with the present disclosure, while the processor 202 enables the eBPF kernel module 206 to render the ‘eBPF task map’ accessible from the user space 204B, it restricts the transmission of the information stored in the ‘eBPF task map’ to the kernel space 204A, thus minimizing the need for context switching between the user space 204B and kernel space 204A during the execution of the ‘eBPF task map,’ and consequentially during the in-kernel instrumentation of the processes referenced within the ‘eBPF task map’.”). As per claim 4, Jadhav and Fournier teach the method of claim 1. Jadhav also teaches wherein the UPID is generated by an application extension executing in an extended Berkeley packet filter (eBPF) infrastructure within the operating system of the computing device (¶ [0036], “In accordance with the present disclosure, the processor 202 is configured to implement an extended Berkley Packet filter (eBPF) kernel module 206 within the kernel space 204A of the computer-implemented system 200. The eBPF kernel module 206 entails an extended Berkley Packet Filter (eBPF)-based instruction set architecture pre-configured to facilitate, inter-alia, extraction of fine-grained security related data from the kernel space 204A, tracing of applications executing within the kernel space 204A, and run-time security enforcement within the kernel space 204A.” ¶ [0044], “In accordance with the present disclosure, when a process that entered the kernel space 204A is determined, by the processor 202, as embodying a ‘process path-kernel system call’ pair matching an entry in the ‘eBPF process filter map,’ then the processor 202 elicits at least a unique process ID (PID), a unique process namespace ID (PID_ns), and an event pointer corresponding to such a process. Subsequently, the processor 202 triggers the eBPF kernel module 206 to create an ‘eBPF task map’ within the kernel space 204A, and populate the ‘eBPF task map’ with a new entry that includes at least the unique process ID (PID), the unique process ID_namespace (PID_ns), and the event pointer corresponding to the process that entered the kernel space 204A and embodied a ‘process path-kernel system call’ pair matching an entry in the ‘eBPF process filter map.’). As per claim 8, it is a system claim comprising similar limitations to claim 1, so it is rejected for similar reasons. Jadhav also teaches a memory and a processing device (¶ [0034], “The kernel is considered the core component of the operating system and acts as an interface between the operating system and the hardware elements embodied within the computer-implemented system 200, including memory, input/output devices, and the processor 202, inter-alia.”). As per claim 9, it is a system claim comprising similar limitations to claim 2, so it is rejected for similar reasons. As per claim 10, it is a system claim comprising similar limitations to claim 3, so it is rejected for similar reasons. As per claim 11, it is a system claim comprising similar limitations to claim 4, so it is rejected for similar reasons. As per claim 15, it is a product claim comprising similar limitations to claim 1, so it is rejected for similar reasons. Fournier also teaches a non-transitory computer readable storage medium (Col. 21, lines 53-67, “Some implementations described in this specification can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions, encoded on computer storage medium for execution by, or to control the operation of, data processing apparatus. A computer storage medium can be, or can be included in, a computer-readable storage device, a computer-readable storage substrate, a random or serial access memory array or device, or a combination of one or more of them.”). As per claim 16, it is a product claim comprising similar limitations to claim 2, so it is rejected for similar reasons. As per claim 17, it is a product claim comprising similar limitations to claim 3, so it is rejected for similar reasons. Claim(s) 5, 12, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Jadhav and Fournier as applied to claims 1, 8, and 17 above, and further in view of Tso (US Pub. No. 2008/0209249 A1). As per claim 5, Jadhav and Fournier teach the method of claim 1. Jadhav teaches the UPID (¶ [0044]-[0045], “In accordance with the present disclosure, when a process that entered the kernel space 204A is determined, by the processor 202, as embodying a ‘process path-kernel system call’ pair matching an entry in the ‘eBPF process filter map,’ then the processor 202 elicits at least a unique process ID (PID), a unique process namespace ID (PID_ns), and an event pointer corresponding to such a process…According to the exemplary ‘eBPF task map’ illustrated hereinabove, two processes referenced by PIDs ‘1213’ and ‘4312’ are shown as having entered the kernel space 204A and as embodying respective ‘process path-kernel system call’ pairs that matched any of the entries incorporated within the ‘eBPF process filter map.”). Jadhav and Fournier fail to teach the UPID being generated based on a clock of the computing device. However, Tso teaches wherein the UPID is generated based on a monotonic clock of the computing device (¶ [0019], “Each time the system 200 is booted, a first random value is generated to serve as a time epoch indication of the system clock state at that point in time. In accordance with an example embodiment, the random value is a random UUID that is generated by a UUID library 212 utility in the operating system layer 210, though other types of time-based UUIDs can be used. A random UUID (also referred to as a type 4 UUID) is typically 16-bytes (128-bits) long, and includes a random number portion of 122 random bits, a version portion of 4 bits used to identify the UUID version (e.g., "Randomly generated UUID"), and a variant portion of 2 bits used to identify the variant (e.g., "Leach-Salz"). The UUID Library utility 212 generates the random UUID from information including, but not limited to, the network address of the host system 200 and the current time. The current time may be obtained (e.g., from a system clock or external time source such as an atomic time server), and may be expressed as a binary value representing the time/date.”) Jadhav, Fournier, and Tso are all considered to be analogous to the claimed invention because they are all in the same field of inter-process communication. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Jadhav and Fournier with the well-known technique of generating a ID based on a clock value as taught in Tso to arrive at the claimed invention. This substitution would have been reasonable under MPEP § 2143 as all references use some form of an ID to communicate information within a computing system. As per claim 12, it is a system claim comprising similar limitations to claim 5, so it is rejected for similar reasons. As per claim 18, it is a product claim comprising similar limitations to claim 5, so it is rejected for similar reasons. Allowable Subject Matter Claims 6-7, 13-14, and 19-20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Response to Arguments Applicant's arguments filed 12/19/2025 have been fully considered but they are not persuasive. Applicant argues that Jadhav fails to teach “generating…a UPID…” but rather teaches using existing OS identifiers to identify processes entering the kernel space. Examiner disagrees with this statement and directs applicant to para. 0044 and 0045 of Jadhav which are referenced in the above rejection. These paragraphs state that when a process enters the kernel space the processor elicits a unique process ID (PID) such as PIDs ‘1213’ and ‘4312’. Examiner maintains that this eliciting of PIDs ‘1213’ or ‘4312’ reads upon the limitation of “generating…a UPID…”; thus, Jadhav teaches the “generating” limitation. Applicant also argues that Jadhav does not suggest using process identifiers within the kernel space to reduce context switching. However, para. 0046 of Jadhav states “In accordance with the present disclosure, while the processor 202 enables the eBPF kernel module 206 to render the ‘eBPF task map’ accessible from the user space 204B, it restricts the transmission of the information stored in the ‘eBPF task map’ to the kernel space 204A, thus minimizing the need for context switching between the user space 204B and kernel space 204A…” which clearly shows that the purpose of generating and storing kernel space identifiers is to minimize context switching. Finally, Applicant argues that Jadhav does not address the PID reuse problem this instant application is looking to solve. Examiner contends that only one UPID is created in the independent claims which means the addressing the problem of PID reuse is irrelevant with regards to the independent claim. PID reuse only becomes relevant when more than one PID has been generated within the kernel space which is a situation that arises in dependent claims 6 and 7 as multiple processes and subsequent UPID / PIDs become relevant. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN ROBERT DAKITA EWALD whose telephone number is (703)756-1845. The examiner can normally be reached Monday-Friday: 9:00-5:30 ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached at (571)272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /J.D.E./Examiner, Art Unit 2199 /LEWIS A BULLOCK JR/Supervisory Patent Examiner, Art Unit 2199
Read full office action

Prosecution Timeline

Dec 14, 2022
Application Filed
Sep 24, 2025
Non-Final Rejection — §103
Dec 16, 2025
Examiner Interview Summary
Dec 16, 2025
Applicant Interview (Telephonic)
Dec 19, 2025
Response Filed
Mar 24, 2026
Final Rejection — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12572377
TRANSMITTING INTERRUPTS FROM A VIRTUAL MACHINE (VM) TO A DESTINATION PROCESSING UNIT WITHOUT TRIGGERING A VM EXIT
2y 5m to grant Granted Mar 10, 2026
Patent 12547465
METHOD AND SYSTEM FOR VIRTUAL DESKTOP SERVICE MANAGER PLACEMENT BASED ON END-USER EXPERIENCE
2y 5m to grant Granted Feb 10, 2026
Patent 12536041
SYSTEM AND METHOD FOR DETERMINING MEMORY RESOURCE CONFIGURATION FOR NETWORK NODES TO OPERATE IN A DISTRIBUTED COMPUTING NETWORK
2y 5m to grant Granted Jan 27, 2026
Patent 12524281
C²MPI: A HARDWARE-AGNOSTIC MESSAGE PASSING INTERFACE FOR HETEROGENEOUS COMPUTING SYSTEMS
2y 5m to grant Granted Jan 13, 2026
Patent 12517771
HARDWARE SUPPORTED SPLIT BARRIER
2y 5m to grant Granted Jan 06, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
76%
Grant Probability
99%
With Interview (+55.6%)
3y 5m
Median Time to Grant
Moderate
PTA Risk
Based on 21 resolved cases by this examiner. Grant probability derived from career allow rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month