Creating threads in context of user process from the kernel

NTDEV
1

Dear All!

I’ve encountered the following problem in my nt driver. Inside my driver I create threads in the context of the user mode application and when the application exits the access violation occurs. This occurs just in MFC applications. The MFC application tries to deallocate resources for each thread and faults.
I can work around this problem by terminating the main thread (in CWinApp::ExitInstance) when exiting my MFC app, but in this case global destructors are not called. Maybe there is a way to tell the MFC app about the newly created kernel mode thread so that the MFC application could exit without problems?

Regards,
Max Lyadvinsky

2

YOu need to terminate tht thread in your driver first.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Max Lyadvinsky
Sent: Friday, February 25, 2000 6:34 AM
To: NT Developers Interest List
Subject: [ntdev] Creating threads in context of user process from the
kernel

Dear All!

I’ve encountered the following problem in my nt driver. Inside my
driver I create threads in the context of the user mode
application and when the application exits the access violation
occurs. This occurs just in MFC applications. The MFC application
tries to deallocate resources for each thread and faults.
I can work around this problem by terminating the main thread (in
CWinApp::ExitInstance) when exiting my MFC app, but in this case
global destructors are not called. Maybe there is a way to tell
the MFC app about the newly created kernel mode thread so that
the MFC application could exit without problems?

Regards,
Max Lyadvinsky

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

3

This isn’t the way, 'cause I need this system thread.

??: Jamey Kirby[SMTP:xxxxx@storagecraft.com]
???: 25 ??? 2000 ?. 19:26
???: NT Developers Interest List
???: [ntdev] RE: Creating threads in context of user process from the kernel

YOu need to terminate tht thread in your driver first.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Max Lyadvinsky
Sent: Friday, February 25, 2000 6:34 AM
To: NT Developers Interest List
Subject: [ntdev] Creating threads in context of user process from the
kernel

Dear All!

I’ve encountered the following problem in my nt driver. Inside my
driver I create threads in the context of the user mode
application and when the application exits the access violation
occurs. This occurs just in MFC applications. The MFC application
tries to deallocate resources for each thread and faults.
I can work around this problem by terminating the main thread (in
CWinApp::ExitInstance) when exiting my MFC app, but in this case
global destructors are not called. Maybe there is a way to tell
the MFC app about the newly created kernel mode thread so that
the MFC application could exit without problems?

Regards,
Max Lyadvinsky

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

You are currently subscribed to ntdev as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

4

If the thread is in the context of your application, when your application
goes away, so does your thread. Because you are not properly synchronizing
the removal of the thread, you are experiencing the problem you are seeing.
I have doen this myself. You need to terminate the thread when the
application terminates (in IRP_MJ_CLOSE or an IOCTL send by the application)
and re-cresate it in the process you need when you need it againt. Sorry to
dissapoint you.

This has been my experience.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@paragon.ru]On Behalf Of
Max Lyadvinsky
Sent: Friday, February 25, 2000 8:55 AM
To: ‘NT Developers Interest List’
Subject: Re: [ntdev] RE: Creating threads in context of user process
from the kernel

This isn’t the way, 'cause I need this system thread.

??: Jamey Kirby[SMTP:xxxxx@storagecraft.com]
???: 25 ??? 2000 ?. 19:26
???: NT Developers Interest List
???: [ntdev] RE: Creating threads in context of user
process from the kernel

YOu need to terminate tht thread in your driver first.

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Max Lyadvinsky
> Sent: Friday, February 25, 2000 6:34 AM
> To: NT Developers Interest List
> Subject: [ntdev] Creating threads in context of user process from the
> kernel
>
>
> Dear All!
>
> I’ve encountered the following problem in my nt driver. Inside my
> driver I create threads in the context of the user mode
> application and when the application exits the access violation
> occurs. This occurs just in MFC applications. The MFC application
> tries to deallocate resources for each thread and faults.
> I can work around this problem by terminating the main thread (in
> CWinApp::ExitInstance) when exiting my MFC app, but in this case
> global destructors are not called. Maybe there is a way to tell
> the MFC app about the newly created kernel mode thread so that
> the MFC application could exit without problems?
>
> Regards,
> Max Lyadvinsky
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>

You are currently subscribed to ntdev as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

5

Once again. I DO NEED this thread after the application exits. I’ve just stolen the context of the application and then don’t need this application anymore. A user works with the application not knowing about the spy kernel thread. Non-MFC applications doesn’t react on that fact that there are additional threads appear. But MFC applications want to control all the threads of the process, they don’t react on the kernel threads while working but they cause access violation when exiting.

Regards,
Max

??: Jamey Kirby[SMTP:xxxxx@storagecraft.com]
???: NT Developers Interest List
???: 25 ??? 2000 ?. 20:22
???: NT Developers Interest List
???: [ntdev] RE: Creating threads in context of user process from the kernel

If the thread is in the context of your application, when your application
goes away, so does your thread. Because you are not properly synchronizing
the removal of the thread, you are experiencing the problem you are seeing.
I have doen this myself. You need to terminate the thread when the
application terminates (in IRP_MJ_CLOSE or an IOCTL send by the application)
and re-cresate it in the process you need when you need it againt. Sorry to
dissapoint you.

This has been my experience.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@paragon.ru]On Behalf Of
Max Lyadvinsky
Sent: Friday, February 25, 2000 8:55 AM
To: ‘NT Developers Interest List’
Subject: Re: [ntdev] RE: Creating threads in context of user process
from the kernel

This isn’t the way, 'cause I need this system thread.

??: Jamey Kirby[SMTP:xxxxx@storagecraft.com]
???: 25 ??? 2000 ?. 19:26
???: NT Developers Interest List
???: [ntdev] RE: Creating threads in context of user
process from the kernel

YOu need to terminate tht thread in your driver first.

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Max Lyadvinsky
> Sent: Friday, February 25, 2000 6:34 AM
> To: NT Developers Interest List
> Subject: [ntdev] Creating threads in context of user process from the
> kernel
>
>
> Dear All!
>
> I’ve encountered the following problem in my nt driver. Inside my
> driver I create threads in the context of the user mode
> application and when the application exits the access violation
> occurs. This occurs just in MFC applications. The MFC application
> tries to deallocate resources for each thread and faults.
> I can work around this problem by terminating the main thread (in
> CWinApp::ExitInstance) when exiting my MFC app, but in this case
> global destructors are not called. Maybe there is a way to tell
> the MFC app about the newly created kernel mode thread so that
> the MFC application could exit without problems?
>
> Regards,
> Max Lyadvinsky
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>

You are currently subscribed to ntdev as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

6

I didn’t say that I’d like a thread running after a process terminated :slight_smile: When the application exits, the thread executing WinMain terminates, but in my case there are kernel threads left so the process exists.
The question was about MFC applications which cannot exit normally when there are kernel threads left. So I’d like to know how to force MFC applications to live peacefully with the kernel threads.

then create that thread in the context of the SYSTEM process
I need spy threads which can work on behalf of the logged in user. And the user even doesn’t suspect about it. In fact I’ve already implemented spy threads and they work in the most cases, but MFC applications cause access violation when they exit if there are spy threads in its process.

Regards,
Max

??: COX,DAVID (HP-Roseville,ex1)[SMTP:david_cox2@hp.com]
???: 25 ??? 2000 ?. 23:08
???: NT Developers Interest List
???: [ntdev] RE: Creating threads in context of user process from the kernel

A thread as associated with a process context, and cannot exist after the
process has terminated. If you need a thread running longer than the life
of your application, then create that thread in the context of the SYSTEM
process.

Dave Cox
Hewlett-Packard Co.
ESBU/SSMO (Santa Barbara)

-----Original Message-----
From: xxxxx@paragon.ru [mailto:xxxxx@paragon.ru]
Sent: Friday, February 25, 2000 9:52 AM
To: NT Developers Interest List
Subject: Re: [ntdev] Creating threads in context of user process from
the kernel

Once again. I DO NEED this thread after the application exits. I’ve just
stolen the context of the application and then don’t need this application
anymore. A user works with the application not knowing about the spy kernel
thread. Non-MFC applications doesn’t react on that fact that there are
additional threads appear. But MFC applications want to control all the
threads of the process, they don’t react on the kernel threads while working
but they cause access violation when exiting.

Regards,
Max

??: Jamey Kirby[SMTP:xxxxx@storagecraft.com]
???: NT Developers Interest List
???: 25 ??? 2000 ?. 20:22
???: NT Developers Interest List
???: [ntdev] RE: Creating threads in context of user process from the
kernel

If the thread is in the context of your application, when your application
goes away, so does your thread. Because you are not properly synchronizing
the removal of the thread, you are experiencing the problem you are seeing.
I have doen this myself. You need to terminate the thread when the
application terminates (in IRP_MJ_CLOSE or an IOCTL send by the application)
and re-cresate it in the process you need when you need it againt. Sorry to
dissapoint you.

This has been my experience.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@paragon.ru]On Behalf Of
Max Lyadvinsky
Sent: Friday, February 25, 2000 8:55 AM
To: ‘NT Developers Interest List’
Subject: Re: [ntdev] RE: Creating threads in context of user process
from the kernel

This isn’t the way, 'cause I need this system thread.

??: Jamey Kirby[SMTP:xxxxx@storagecraft.com]
???: 25 ??? 2000 ?. 19:26
???: NT Developers Interest List
???: [ntdev] RE: Creating threads in context of user
process from the kernel

YOu need to terminate tht thread in your driver first.

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Max Lyadvinsky
> Sent: Friday, February 25, 2000 6:34 AM
> To: NT Developers Interest List
> Subject: [ntdev] Creating threads in context of user process from the
> kernel
>
>
> Dear All!
>
> I’ve encountered the following problem in my nt driver. Inside my
> driver I create threads in the context of the user mode
> application and when the application exits the access violation
> occurs. This occurs just in MFC applications. The MFC application
> tries to deallocate resources for each thread and faults.
> I can work around this problem by terminating the main thread (in
> CWinApp::ExitInstance) when exiting my MFC app, but in this case
> global destructors are not called. Maybe there is a way to tell
> the MFC app about the newly created kernel mode thread so that
> the MFC application could exit without problems?
>
> Regards,
> Max Lyadvinsky
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>

You are currently subscribed to ntdev as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

You are currently subscribed to ntdev as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

7

>Once again. I DO NEED this thread after the application exits. I’ve just

stolen the context of the application and then don’t need this application

Hm… an idea is to a) addref the token object of the application b) create
a
usual system thread c) assign the saved token temporary to that system
thread to do something.

Is there any Sexxx APIs to implement a) or b)? I’m sure they exist - but are
they available to the drivers?

Max

8

>think you can prevent an application from using TerminateProcess(),

which will also terminate your thread.
TerminateProcess cannot terminate kernel mode threads.

When a second instance of the application runs,
it checks for an existing instance
And sees nothing, 'cause all the user mode threads are terminated.
How do you check for an existing instance? You call FindWindow then
SetForegroundWindow. In my case this way won’t allow to found another
instance.

What about getting the user’s token from the app process and using it
to impersonate the user in a system thread?
That’s very interesting. I don’t know how to do it. Do you know?

Regards,
Max

??: COX,DAVID (HP-Roseville,ex1)[SMTP:david_cox2@hp.com]
???: NT Developers Interest List
???: 26 ??? 2000 ?. 1:57
???: NT Developers Interest List
???: [ntdev] RE: Creating threads in context of user process from the kernel

Is it YOUR application or an arbitrary 3rd-party application? I don’t
think you can prevent an application from using TerminateProcess(), which
will also terminate your thread.

Another potential problem that comes to mind is the case of single-
instance applications. When a second instance of the application runs,
it checks for an existing instance, tries to wake the existing instance
or bring it to the foreground, and then exits itself. What you are
proposing is to keep an old instance running, and this would prevent
the user from starting a new instance, although it looks like no app
is running.

What about getting the user’s token from the app process and using it
to impersonate the user in a system thread?

Dave Cox
Hewlett-Packard Co.
ESBU/SSMO (Santa Barbara)

-----Original Message-----
From: xxxxx@paragon.ru [mailto:xxxxx@paragon.ru]
Sent: Friday, February 25, 2000 1:01 PM
To: NT Developers Interest List
Subject: Re: [ntdev] Creating threads in context of user process from
the kernel

I didn’t say that I’d like a thread running after a process terminated :slight_smile:
When the application exits, the thread executing WinMain terminates, but in
my case there are kernel threads left so the process exists.
The question was about MFC applications which cannot exit normally when
there are kernel threads left. So I’d like to know how to force MFC
applications to live peacefully with the kernel threads.

then create that thread in the context of the SYSTEM process
I need spy threads which can work on behalf of the logged in user. And the
user even doesn’t suspect about it. In fact I’ve already implemented spy
threads and they work in the most cases, but MFC applications cause access
violation when they exit if there are spy threads in its process.

Regards,
Max

??: COX,DAVID (HP-Roseville,ex1)[SMTP:david_cox2@hp.com]
???: 25 ??? 2000 ?. 23:08
???: NT Developers Interest List
???: [ntdev] RE: Creating threads in context of user process from the
kernel

A thread as associated with a process context, and cannot exist after the
process has terminated. If you need a thread running longer than the life
of your application, then create that thread in the context of the SYSTEM
process.

Dave Cox
Hewlett-Packard Co.
ESBU/SSMO (Santa Barbara)

-----Original Message-----
From: xxxxx@paragon.ru [mailto:xxxxx@paragon.ru]
Sent: Friday, February 25, 2000 9:52 AM
To: NT Developers Interest List
Subject: Re: [ntdev] Creating threads in context of user process from
the kernel

Once again. I DO NEED this thread after the application exits. I’ve just
stolen the context of the application and then don’t need this application
anymore. A user works with the application not knowing about the spy kernel
thread. Non-MFC applications doesn’t react on that fact that there are
additional threads appear. But MFC applications want to control all the
threads of the process, they don’t react on the kernel threads while working
but they cause access violation when exiting.

Regards,
Max

??: Jamey Kirby[SMTP:xxxxx@storagecraft.com]
???: NT Developers Interest List
???: 25 ??? 2000 ?. 20:22
???: NT Developers Interest List
???: [ntdev] RE: Creating threads in context of user process from the
kernel

If the thread is in the context of your application, when your application
goes away, so does your thread. Because you are not properly synchronizing
the removal of the thread, you are experiencing the problem you are seeing.
I have doen this myself. You need to terminate the thread when the
application terminates (in IRP_MJ_CLOSE or an IOCTL send by the application)
and re-cresate it in the process you need when you need it againt. Sorry to
dissapoint you.

This has been my experience.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@paragon.ru]On Behalf Of
Max Lyadvinsky
Sent: Friday, February 25, 2000 8:55 AM
To: ‘NT Developers Interest List’
Subject: Re: [ntdev] RE: Creating threads in context of user process
from the kernel

This isn’t the way, 'cause I need this system thread.

??: Jamey Kirby[SMTP:xxxxx@storagecraft.com]
???: 25 ??? 2000 ?. 19:26
???: NT Developers Interest List
???: [ntdev] RE: Creating threads in context of user
process from the kernel

YOu need to terminate tht thread in your driver first.

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Max Lyadvinsky
> Sent: Friday, February 25, 2000 6:34 AM
> To: NT Developers Interest List
> Subject: [ntdev] Creating threads in context of user process from the
> kernel
>
>
> Dear All!
>
> I’ve encountered the following problem in my nt driver. Inside my
> driver I create threads in the context of the user mode
> application and when the application exits the access violation
> occurs. This occurs just in MFC applications. The MFC application
> tries to deallocate resources for each thread and faults.
> I can work around this problem by terminating the main thread (in
> CWinApp::ExitInstance) when exiting my MFC app, but in this case
> global destructors are not called. Maybe there is a way to tell
> the MFC app about the newly created kernel mode thread so that
> the MFC application could exit without problems?
>
> Regards,
> Max Lyadvinsky
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>

You are currently subscribed to ntdev as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

You are currently subscribed to ntdev as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

You are currently subscribed to ntdev as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)