Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Difference between CreateInfo->CreatingThreadId.UniqueProcess and CreateInfo->ParentProcessId?

Greg_LindorGreg_Lindor Member Posts: 4

Hi,

I noticed in a PsSetCreateProcessNotifyRoutineEx callback routine parameter, the PPS_CREATE_NOTIFY_INFO pointer offers what seems to be two distinct ways to determine the parent process.
Is there some difference between the two? If so, what? Indeed the MSDN documentation states this:
"Note that the parent process is not necessarily the same process as the process that created the new process. " for the ParentProcessId field, but what does that mean exactly? Under what circumstances?

Comments

  • Don_BurnDon_Burn Member - All Emails Posts: 1,649
    via Email
    I haven't looked at this for a long time, but it is possible to fork a process ala UNIX. I know in this case the creating process and the parent process are not the same. There may be other cases, but it has been a long time since I went through the process create code.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,096

    If you Right Click->Run as Administrator you'll see that the two fields are different. UniqueProcess will be something like svchost.exe but ParentProcessId will be explorer.exe.

    -scott
    OSR

  • Vadim_SirotnikovVadim_Sirotnikov Member Posts: 13
    edited March 6

    AFAIK ParentProcessId is better described as InheritedProcessId - this is the id of the process whose user token the new process will normally inherit, to run with the user's rights and permissions. This would be the explorer.exe shell process, in Scott's example).

    What you get in CreatingThreadId->UniqueProcessId _is the pid of the thread who _actually performed the creation of this new process, which is not necessarily the original requestor.

    As Scott said, when you run a process as admin, windows does UAC elevation, and delegates the creation of the new process to an svchost.exe running the AppInfo service which handles elevation for you, and creates the elevated new process, passing explorer.exe's pid as the (original) parent.

  • Vadim_SirotnikovVadim_Sirotnikov Member Posts: 13

    The ParentId is the id of the process whose access token the new process will inherit (often called InheritedProcessId)

    If you double click a process from the explorer.exe shell, then it will receive your user's access token, and inherit other various settings from it, thus making it its parent.

    The CreatingThread is the thread that was actually in charge of launching the new process. This could belong to another process, that was actually in charge of the new process creation. In Scott's example that is the svchost.exe instance running the AppInfo service, that is tasked with creating elevated processes for the user. (See Elevation topic in Windows Internals)

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Developing Minifilters 8 April 2019 OSR Seminar Space