Hi all,
Just to be sure...
OBJ_KERNEL_HANDLE: Makes the resulting handle being inserted into the system process handle table.
OBJ_INHERIT: Makes the resulting handle to be duplicated when new chidren process are created.
Is there any sense on using both flags together?
Is the system able to create children processes? (I don't think so).
Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br/en
Well, Microsoft says so and that’s why the made that flag.
System process is the one which creates Smss process and later on
Is there any sense on using both flags together?
I think standard file handles (like stdout, stderr, stdin, etc) might be
implemented this way, not sure though.
Is the system able to create children processes? (I don’t think so).
If someone is doing ZwCreateProcess from a System thread, then yes it will
be created.
Smss.exe is launched from a System thread only and I am sure it must be
using Zw/NtCreateProcess.
I am not sure whether it belonged to ntfsd or not.
-Deepak
The specifics of this are really version dependent (there were substantial changes to this in Vista.) For Vista and beyond, this is done by using ZwCreateUserProcess.
Tony
OSR