Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Creating threads in context of user process from the kernel

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Dear All!

I've encountered the following problem in my nt driver. Inside my driver I create threads in the context of the user mode application and when the application exits the access violation occurs. This occurs just in MFC applications. The MFC application tries to deallocate resources for each thread and faults.
I can work around this problem by terminating the main thread (in CWinApp::ExitInstance) when exiting my MFC app, but in this case global destructors are not called. Maybe there is a way to tell the MFC app about the newly created kernel mode thread so that the MFC application could exit without problems?

Regards,
Max Lyadvinsky

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    YOu need to terminate tht thread in your driver first.

    > -----Original Message-----
    > From: [email protected]
    > [mailto:[email protected]]On Behalf Of Max Lyadvinsky
    > Sent: Friday, February 25, 2000 6:34 AM
    > To: NT Developers Interest List
    > Subject: [ntdev] Creating threads in context of user process from the
    > kernel
    >
    >
    > Dear All!
    >
    > I've encountered the following problem in my nt driver. Inside my
    > driver I create threads in the context of the user mode
    > application and when the application exits the access violation
    > occurs. This occurs just in MFC applications. The MFC application
    > tries to deallocate resources for each thread and faults.
    > I can work around this problem by terminating the main thread (in
    > CWinApp::ExitInstance) when exiting my MFC app, but in this case
    > global destructors are not called. Maybe there is a way to tell
    > the MFC app about the newly created kernel mode thread so that
    > the MFC application could exit without problems?
    >
    > Regards,
    > Max Lyadvinsky
    >
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    This isn't the way, 'cause I need this system thread.


    ----------
    ??: Jamey Kirby[SMTP:[email protected]]
    ??????????: 25 ??????? 2000 ?. 19:26
    ????: NT Developers Interest List
    ????: [ntdev] RE: Creating threads in context of user process from the kernel

    YOu need to terminate tht thread in your driver first.

    > -----Original Message-----
    > From: [email protected]
    > [mailto:[email protected]]On Behalf Of Max Lyadvinsky
    > Sent: Friday, February 25, 2000 6:34 AM
    > To: NT Developers Interest List
    > Subject: [ntdev] Creating threads in context of user process from the
    > kernel
    >
    >
    > Dear All!
    >
    > I've encountered the following problem in my nt driver. Inside my
    > driver I create threads in the context of the user mode
    > application and when the application exits the access violation
    > occurs. This occurs just in MFC applications. The MFC application
    > tries to deallocate resources for each thread and faults.
    > I can work around this problem by terminating the main thread (in
    > CWinApp::ExitInstance) when exiting my MFC app, but in this case
    > global destructors are not called. Maybe there is a way to tell
    > the MFC app about the newly created kernel mode thread so that
    > the MFC application could exit without problems?
    >
    > Regards,
    > Max Lyadvinsky
    >
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >

    ---
    You are currently subscribed to ntdev as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    If the thread is in the context of your application, when your application
    goes away, so does your thread. Because you are not properly synchronizing
    the removal of the thread, you are experiencing the problem you are seeing.
    I have doen this myself. You need to terminate the thread when the
    application terminates (in IRP_MJ_CLOSE or an IOCTL send by the application)
    and re-cresate it in the process you need when you need it againt. Sorry to
    dissapoint you.

    This has been my experience.

    Jamey


    > -----Original Message-----
    > From: [email protected] [mailto:[email protected]]On Behalf Of
    > Max Lyadvinsky
    > Sent: Friday, February 25, 2000 8:55 AM
    > To: 'NT Developers Interest List'
    > Subject: Re: [ntdev] RE: Creating threads in context of user process
    > from the kernel
    >
    >
    > This isn't the way, 'cause I need this system thread.
    >
    >
    > ----------
    > ??: Jamey Kirby[SMTP:[email protected]]
    > ??????????: 25 ??????? 2000 ?. 19:26
    > ????: NT Developers Interest List
    > ????: [ntdev] RE: Creating threads in context of user
    > process from the kernel
    >
    > YOu need to terminate tht thread in your driver first.
    >
    > > -----Original Message-----
    > > From: [email protected]
    > > [mailto:[email protected]]On Behalf Of Max Lyadvinsky
    > > Sent: Friday, February 25, 2000 6:34 AM
    > > To: NT Developers Interest List
    > > Subject: [ntdev] Creating threads in context of user process from the
    > > kernel
    > >
    > >
    > > Dear All!
    > >
    > > I've encountered the following problem in my nt driver. Inside my
    > > driver I create threads in the context of the user mode
    > > application and when the application exits the access violation
    > > occurs. This occurs just in MFC applications. The MFC application
    > > tries to deallocate resources for each thread and faults.
    > > I can work around this problem by terminating the main thread (in
    > > CWinApp::ExitInstance) when exiting my MFC app, but in this case
    > > global destructors are not called. Maybe there is a way to tell
    > > the MFC app about the newly created kernel mode thread so that
    > > the MFC application could exit without problems?
    > >
    > > Regards,
    > > Max Lyadvinsky
    > >
    > >
    > > ---
    > > You are currently subscribed to ntdev as: [email protected]
    > > To unsubscribe send a blank email to $subst('Email.Unsub')
    > >
    > >
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Once again. I DO NEED this thread after the application exits. I've just stolen the context of the application and then don't need this application anymore. A user works with the application not knowing about the spy kernel thread. Non-MFC applications doesn't react on that fact that there are additional threads appear. But MFC applications want to control all the threads of the process, they don't react on the kernel threads while working but they cause access violation when exiting.

    Regards,
    Max

    ----------
    ??: Jamey Kirby[SMTP:[email protected]]
    ?????: NT Developers Interest List
    ??????????: 25 ??????? 2000 ?. 20:22
    ????: NT Developers Interest List
    ????: [ntdev] RE: Creating threads in context of user process from the kernel

    If the thread is in the context of your application, when your application
    goes away, so does your thread. Because you are not properly synchronizing
    the removal of the thread, you are experiencing the problem you are seeing.
    I have doen this myself. You need to terminate the thread when the
    application terminates (in IRP_MJ_CLOSE or an IOCTL send by the application)
    and re-cresate it in the process you need when you need it againt. Sorry to
    dissapoint you.

    This has been my experience.

    Jamey


    > -----Original Message-----
    > From: [email protected] [mailto:[email protected]]On Behalf Of
    > Max Lyadvinsky
    > Sent: Friday, February 25, 2000 8:55 AM
    > To: 'NT Developers Interest List'
    > Subject: Re: [ntdev] RE: Creating threads in context of user process
    > from the kernel
    >
    >
    > This isn't the way, 'cause I need this system thread.
    >
    >
    > ----------
    > ??: Jamey Kirby[SMTP:[email protected]]
    > ??????????: 25 ??????? 2000 ?. 19:26
    > ????: NT Developers Interest List
    > ????: [ntdev] RE: Creating threads in context of user
    > process from the kernel
    >
    > YOu need to terminate tht thread in your driver first.
    >
    > > -----Original Message-----
    > > From: [email protected]
    > > [mailto:[email protected]]On Behalf Of Max Lyadvinsky
    > > Sent: Friday, February 25, 2000 6:34 AM
    > > To: NT Developers Interest List
    > > Subject: [ntdev] Creating threads in context of user process from the
    > > kernel
    > >
    > >
    > > Dear All!
    > >
    > > I've encountered the following problem in my nt driver. Inside my
    > > driver I create threads in the context of the user mode
    > > application and when the application exits the access violation
    > > occurs. This occurs just in MFC applications. The MFC application
    > > tries to deallocate resources for each thread and faults.
    > > I can work around this problem by terminating the main thread (in
    > > CWinApp::ExitInstance) when exiting my MFC app, but in this case
    > > global destructors are not called. Maybe there is a way to tell
    > > the MFC app about the newly created kernel mode thread so that
    > > the MFC application could exit without problems?
    > >
    > > Regards,
    > > Max Lyadvinsky
    > >
    > >
    > > ---
    > > You are currently subscribed to ntdev as: [email protected]
    > > To unsubscribe send a blank email to $subst('Email.Unsub')
    > >
    > >
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    I didn't say that I'd like a thread running after a process terminated :) When the application exits, the thread executing WinMain terminates, but in my case there are kernel threads left so the process exists.
    The question was about MFC applications which cannot exit normally when there are kernel threads left. So I'd like to know how to force MFC applications to live peacefully with the kernel threads.

    >then create that thread in the context of the SYSTEM process
    I need spy threads which can work on behalf of the logged in user. And the user even doesn't suspect about it. In fact I've already implemented spy threads and they work in the most cases, but MFC applications cause access violation when they exit if there are spy threads in its process.

    Regards,
    Max

    ----------
    ??: COX,DAVID (HP-Roseville,ex1)[SMTP:[email protected]]
    ??????????: 25 ??????? 2000 ?. 23:08
    ????: NT Developers Interest List
    ????: [ntdev] RE: Creating threads in context of user process from the kernel

    A thread as associated with a process context, and cannot exist after the
    process has terminated. If you need a thread running longer than the life
    of your application, then create that thread in the context of the SYSTEM
    process.

    -----------------------------------------------------------------------
    Dave Cox
    Hewlett-Packard Co.
    ESBU/SSMO (Santa Barbara)


    -----Original Message-----
    From: [email protected] [mailto:[email protected]]
    Sent: Friday, February 25, 2000 9:52 AM
    To: NT Developers Interest List
    Subject: Re: [ntdev] Creating threads in context of user process from
    the kernel


    Once again. I DO NEED this thread after the application exits. I've just
    stolen the context of the application and then don't need this application
    anymore. A user works with the application not knowing about the spy kernel
    thread. Non-MFC applications doesn't react on that fact that there are
    additional threads appear. But MFC applications want to control all the
    threads of the process, they don't react on the kernel threads while working
    but they cause access violation when exiting.

    Regards,
    Max

    ----------
    ??: Jamey Kirby[SMTP:[email protected]]
    ?????: NT Developers Interest List
    ??????????: 25 ??????? 2000 ?. 20:22
    ????: NT Developers Interest List
    ????: [ntdev] RE: Creating threads in context of user process from the
    kernel

    If the thread is in the context of your application, when your application
    goes away, so does your thread. Because you are not properly synchronizing
    the removal of the thread, you are experiencing the problem you are seeing.
    I have doen this myself. You need to terminate the thread when the
    application terminates (in IRP_MJ_CLOSE or an IOCTL send by the application)
    and re-cresate it in the process you need when you need it againt. Sorry to
    dissapoint you.

    This has been my experience.

    Jamey


    > -----Original Message-----
    > From: [email protected] [mailto:[email protected]]On Behalf Of
    > Max Lyadvinsky
    > Sent: Friday, February 25, 2000 8:55 AM
    > To: 'NT Developers Interest List'
    > Subject: Re: [ntdev] RE: Creating threads in context of user process
    > from the kernel
    >
    >
    > This isn't the way, 'cause I need this system thread.
    >
    >
    > ----------
    > ??: Jamey Kirby[SMTP:[email protected]]
    > ??????????: 25 ??????? 2000 ?. 19:26
    > ????: NT Developers Interest List
    > ????: [ntdev] RE: Creating threads in context of user
    > process from the kernel
    >
    > YOu need to terminate tht thread in your driver first.
    >
    > > -----Original Message-----
    > > From: [email protected]
    > > [mailto:[email protected]]On Behalf Of Max Lyadvinsky
    > > Sent: Friday, February 25, 2000 6:34 AM
    > > To: NT Developers Interest List
    > > Subject: [ntdev] Creating threads in context of user process from the
    > > kernel
    > >
    > >
    > > Dear All!
    > >
    > > I've encountered the following problem in my nt driver. Inside my
    > > driver I create threads in the context of the user mode
    > > application and when the application exits the access violation
    > > occurs. This occurs just in MFC applications. The MFC application
    > > tries to deallocate resources for each thread and faults.
    > > I can work around this problem by terminating the main thread (in
    > > CWinApp::ExitInstance) when exiting my MFC app, but in this case
    > > global destructors are not called. Maybe there is a way to tell
    > > the MFC app about the newly created kernel mode thread so that
    > > the MFC application could exit without problems?
    > >
    > > Regards,
    > > Max Lyadvinsky
    > >
    > >
    > > ---
    > > You are currently subscribed to ntdev as: [email protected]
    > > To unsubscribe send a blank email to $subst('Email.Unsub')
    > >
    > >
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
    >


    ---
    You are currently subscribed to ntdev as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    >Once again. I DO NEED this thread after the application exits. I've just
    >stolen the context of the application and then don't need this application

    Hm... an idea is to a) addref the token object of the application b) create
    a
    usual system thread c) assign the saved token temporary to that system
    thread to do something.

    Is there any Sexxx APIs to implement a) or b)? I'm sure they exist - but are
    they available to the drivers?

    Max
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    >think you can prevent an application from using TerminateProcess(),
    >which will also terminate your thread.
    TerminateProcess cannot terminate kernel mode threads.

    >When a second instance of the application runs,
    >it checks for an existing instance
    And sees nothing, 'cause all the user mode threads are terminated.
    How do you check for an existing instance? You call FindWindow then
    SetForegroundWindow. In my case this way won't allow to found another
    instance.

    >What about getting the user's token from the app process and using it
    >to impersonate the user in a system thread?
    That's very interesting. I don't know how to do it. Do you know?

    Regards,
    Max


    ----------
    ??: COX,DAVID (HP-Roseville,ex1)[SMTP:[email protected]]
    ?????: NT Developers Interest List
    ??????????: 26 ??????? 2000 ?. 1:57
    ????: NT Developers Interest List
    ????: [ntdev] RE: Creating threads in context of user process from the kernel

    Is it YOUR application or an arbitrary 3rd-party application? I don't
    think you can prevent an application from using TerminateProcess(), which
    will also terminate your thread.

    Another potential problem that comes to mind is the case of single-
    instance applications. When a second instance of the application runs,
    it checks for an existing instance, tries to wake the existing instance
    or bring it to the foreground, and then exits itself. What you are
    proposing is to keep an old instance running, and this would prevent
    the user from starting a new instance, although it looks like no app
    is running.

    What about getting the user's token from the app process and using it
    to impersonate the user in a system thread?

    -----------------------------------------------------------------------
    Dave Cox
    Hewlett-Packard Co.
    ESBU/SSMO (Santa Barbara)


    -----Original Message-----
    From: [email protected] [mailto:[email protected]]
    Sent: Friday, February 25, 2000 1:01 PM
    To: NT Developers Interest List
    Subject: Re: [ntdev] Creating threads in context of user process from
    the kernel


    I didn't say that I'd like a thread running after a process terminated :)
    When the application exits, the thread executing WinMain terminates, but in
    my case there are kernel threads left so the process exists.
    The question was about MFC applications which cannot exit normally when
    there are kernel threads left. So I'd like to know how to force MFC
    applications to live peacefully with the kernel threads.

    >then create that thread in the context of the SYSTEM process
    I need spy threads which can work on behalf of the logged in user. And the
    user even doesn't suspect about it. In fact I've already implemented spy
    threads and they work in the most cases, but MFC applications cause access
    violation when they exit if there are spy threads in its process.

    Regards,
    Max

    ----------
    ??: COX,DAVID (HP-Roseville,ex1)[SMTP:[email protected]]
    ??????????: 25 ??????? 2000 ?. 23:08
    ????: NT Developers Interest List
    ????: [ntdev] RE: Creating threads in context of user process from the
    kernel

    A thread as associated with a process context, and cannot exist after the
    process has terminated. If you need a thread running longer than the life
    of your application, then create that thread in the context of the SYSTEM
    process.

    -----------------------------------------------------------------------
    Dave Cox
    Hewlett-Packard Co.
    ESBU/SSMO (Santa Barbara)


    -----Original Message-----
    From: [email protected] [mailto:[email protected]]
    Sent: Friday, February 25, 2000 9:52 AM
    To: NT Developers Interest List
    Subject: Re: [ntdev] Creating threads in context of user process from
    the kernel


    Once again. I DO NEED this thread after the application exits. I've just
    stolen the context of the application and then don't need this application
    anymore. A user works with the application not knowing about the spy kernel
    thread. Non-MFC applications doesn't react on that fact that there are
    additional threads appear. But MFC applications want to control all the
    threads of the process, they don't react on the kernel threads while working
    but they cause access violation when exiting.

    Regards,
    Max

    ----------
    ??: Jamey Kirby[SMTP:[email protected]]
    ?????: NT Developers Interest List
    ??????????: 25 ??????? 2000 ?. 20:22
    ????: NT Developers Interest List
    ????: [ntdev] RE: Creating threads in context of user process from the
    kernel

    If the thread is in the context of your application, when your application
    goes away, so does your thread. Because you are not properly synchronizing
    the removal of the thread, you are experiencing the problem you are seeing.
    I have doen this myself. You need to terminate the thread when the
    application terminates (in IRP_MJ_CLOSE or an IOCTL send by the application)
    and re-cresate it in the process you need when you need it againt. Sorry to
    dissapoint you.

    This has been my experience.

    Jamey


    > -----Original Message-----
    > From: [email protected] [mailto:[email protected]]On Behalf Of
    > Max Lyadvinsky
    > Sent: Friday, February 25, 2000 8:55 AM
    > To: 'NT Developers Interest List'
    > Subject: Re: [ntdev] RE: Creating threads in context of user process
    > from the kernel
    >
    >
    > This isn't the way, 'cause I need this system thread.
    >
    >
    > ----------
    > ??: Jamey Kirby[SMTP:[email protected]]
    > ??????????: 25 ??????? 2000 ?. 19:26
    > ????: NT Developers Interest List
    > ????: [ntdev] RE: Creating threads in context of user
    > process from the kernel
    >
    > YOu need to terminate tht thread in your driver first.
    >
    > > -----Original Message-----
    > > From: [email protected]
    > > [mailto:[email protected]]On Behalf Of Max Lyadvinsky
    > > Sent: Friday, February 25, 2000 6:34 AM
    > > To: NT Developers Interest List
    > > Subject: [ntdev] Creating threads in context of user process from the
    > > kernel
    > >
    > >
    > > Dear All!
    > >
    > > I've encountered the following problem in my nt driver. Inside my
    > > driver I create threads in the context of the user mode
    > > application and when the application exits the access violation
    > > occurs. This occurs just in MFC applications. The MFC application
    > > tries to deallocate resources for each thread and faults.
    > > I can work around this problem by terminating the main thread (in
    > > CWinApp::ExitInstance) when exiting my MFC app, but in this case
    > > global destructors are not called. Maybe there is a way to tell
    > > the MFC app about the newly created kernel mode thread so that
    > > the MFC application could exit without problems?
    > >
    > > Regards,
    > > Max Lyadvinsky
    > >
    > >
    > > ---
    > > You are currently subscribed to ntdev as: [email protected]
    > > To unsubscribe send a blank email to $subst('Email.Unsub')
    > >
    > >
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
    >


    ---
    You are currently subscribed to ntdev as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')



    ---
    You are currently subscribed to ntdev as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 20 Apr 2020 LIVE ONLINE
Writing WDF Drivers 11 May 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA