Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

RE: Creating threads in context of user process from the -kernel

Is it YOUR application or an arbitrary 3rd-party application? I don't
think you can prevent an application from using TerminateProcess(), which
will also terminate your thread.

Another potential problem that comes to mind is the case of single-
instance applications. When a second instance of the application runs,
it checks for an existing instance, tries to wake the existing instance
or bring it to the foreground, and then exits itself. What you are
proposing is to keep an old instance running, and this would prevent
the user from starting a new instance, although it looks like no app
is running.

What about getting the user's token from the app process and using it
to impersonate the user in a system thread?

-----------------------------------------------------------------------
Dave Cox
Hewlett-Packard Co.
ESBU/SSMO (Santa Barbara)


-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Friday, February 25, 2000 1:01 PM
To: NT Developers Interest List
Subject: Re: [ntdev] Creating threads in context of user process from
the kernel


I didn't say that I'd like a thread running after a process terminated :)
When the application exits, the thread executing WinMain terminates, but in
my case there are kernel threads left so the process exists.
The question was about MFC applications which cannot exit normally when
there are kernel threads left. So I'd like to know how to force MFC
applications to live peacefully with the kernel threads.

>then create that thread in the context of the SYSTEM process
I need spy threads which can work on behalf of the logged in user. And the
user even doesn't suspect about it. In fact I've already implemented spy
threads and they work in the most cases, but MFC applications cause access
violation when they exit if there are spy threads in its process.

Regards,
Max

----------
??: COX,DAVID (HP-Roseville,ex1)[SMTP:[email protected]]
??????????: 25 ??????? 2000 ?. 23:08
????: NT Developers Interest List
????: [ntdev] RE: Creating threads in context of user process from the
kernel

A thread as associated with a process context, and cannot exist after the
process has terminated. If you need a thread running longer than the life
of your application, then create that thread in the context of the SYSTEM
process.

-----------------------------------------------------------------------
Dave Cox
Hewlett-Packard Co.
ESBU/SSMO (Santa Barbara)


-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Friday, February 25, 2000 9:52 AM
To: NT Developers Interest List
Subject: Re: [ntdev] Creating threads in context of user process from
the kernel


Once again. I DO NEED this thread after the application exits. I've just
stolen the context of the application and then don't need this application
anymore. A user works with the application not knowing about the spy kernel
thread. Non-MFC applications doesn't react on that fact that there are
additional threads appear. But MFC applications want to control all the
threads of the process, they don't react on the kernel threads while working
but they cause access violation when exiting.

Regards,
Max

----------
??: Jamey Kirby[SMTP:[email protected]]
?????: NT Developers Interest List
??????????: 25 ??????? 2000 ?. 20:22
????: NT Developers Interest List
????: [ntdev] RE: Creating threads in context of user process from the
kernel

If the thread is in the context of your application, when your application
goes away, so does your thread. Because you are not properly synchronizing
the removal of the thread, you are experiencing the problem you are seeing.
I have doen this myself. You need to terminate the thread when the
application terminates (in IRP_MJ_CLOSE or an IOCTL send by the application)
and re-cresate it in the process you need when you need it againt. Sorry to
dissapoint you.

This has been my experience.

Jamey


> -----Original Message-----
> From: [email protected] [mailto:[email protected]]On Behalf Of
> Max Lyadvinsky
> Sent: Friday, February 25, 2000 8:55 AM
> To: 'NT Developers Interest List'
> Subject: Re: [ntdev] RE: Creating threads in context of user process
> from the kernel
>
>
> This isn't the way, 'cause I need this system thread.
>
>
> ----------
> ??: Jamey Kirby[SMTP:[email protected]]
> ??????????: 25 ??????? 2000 ?. 19:26
> ????: NT Developers Interest List
> ????: [ntdev] RE: Creating threads in context of user
> process from the kernel
>
> YOu need to terminate tht thread in your driver first.
>
> > -----Original Message-----
> > From: [email protected]
> > [mailto:[email protected]]On Behalf Of Max Lyadvinsky
> > Sent: Friday, February 25, 2000 6:34 AM
> > To: NT Developers Interest List
> > Subject: [ntdev] Creating threads in context of user process from the
> > kernel
> >
> >
> > Dear All!
> >
> > I've encountered the following problem in my nt driver. Inside my
> > driver I create threads in the context of the user mode
> > application and when the application exits the access violation
> > occurs. This occurs just in MFC applications. The MFC application
> > tries to deallocate resources for each thread and faults.
> > I can work around this problem by terminating the main thread (in
> > CWinApp::ExitInstance) when exiting my MFC app, but in this case
> > global destructors are not called. Maybe there is a way to tell
> > the MFC app about the newly created kernel mode thread so that
> > the MFC application could exit without problems?
> >
> > Regards,
> > Max Lyadvinsky
> >
> >
> > ---
> > You are currently subscribed to ntdev as: [email protected]
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
>
> ---
> You are currently subscribed to ntdev as: [email protected]
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>


---
You are currently subscribed to ntdev as: [email protected]
To unsubscribe send a blank email to $subst('Email.Unsub')
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 20 Apr 2020 LIVE ONLINE
Writing WDF Drivers 11 May 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA