Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

ZwSuspendProcess() fails with STATUS_OBJECT_TYPE_MISMATCH


I have been using ZwSuspendProcess() to suspend process from a notifier that is called when a process is created(registered it using PsSetCreateProcessNotifyRoutine()).

I open the process handle like this:
InitializeObjectAttributes(&ObjAttributes, NULL,
197 ClientId.UniqueProcess = ProcessId;
198 ClientId.UniqueThread = NULL;
200 Status = ZwOpenProcess(&ProcessHandle, PROCESS_ALL_ACCESS,
201 &ObjAttributes, &ClientId);
202 if (!NT_SUCCESS(Status)) {
203 ProcessHandle = NULL;
204 goto out;
205 }

And then call ZwSuspendProcess():

Status = ZwSuspendProcess(ProcessHandle);
208 if (!NT_SUCCESS(Status)) {
209 PPERROR("Failed suspending process %u: %x",
210 ProcessId, Status);
211 goto out;
212 }

I know it's not documented, but this worked perfectly on Windows 7 (32bit, 64bit) and on Windows 10(32bit), but fails on WIndows 10 64 bit, because
ZwSuspendProcess() returns STATUS_OBJECT_TYPE_MISMATCH.

The type of the object of course is EPROCESS(just to be sane, i checked by using ObReferenceObjectByHandle(), and it's successfull)

Any hints, ideas?

Thank you.


  • <quote>
    Any hints, ideas?

    Yup. Here's my idea: This is precisely what can happen when you use undocumented functions, which is why we tell people to avoid doing so. They're undocumented for a reason. Shit changes from release to release... When Devs find holes, issues, or they just change the way a function works because they want to. When a function's not documented, it's fair game.

    Sorry... I know you don't want to hear that. But it's the truth...


    Peter Viscarola

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!