Hi, anybody knows a good way to get the SuspendCount of a thread ? I know I
can call (Zw)SuspendThread or (Zw)ResumeThread to obtain this info but this
has the side effect of suspending or resuming the thread. I also know it is
part of the ETHREAD structure but I am not supposed to touch that or am I ?
Does somebody know of a better way ? Thanks
/Daniel
The standard answer to this question is that, designs that need to know the suspend count are inherently broken. I know that’s not exactly a satisfying answer. The reason is that, any design that uses ZwSuspendThread should be responsible for knowing whether or not it suspended a thread, and whether or not it needs to resume the thread. If more than one thread suspends the same target thread, then the kernel’s suspend count insures that the thread is suspended until all of the threads have released the suspended thread. If it were possible to query the suspend count, then inevitably people would think it was safe to call ZwResumeThread in a loop, to force the thread to a non-suspended state. But this is just asking for trouble, because you have broken synchronization with other threads. (It’s analogous to polling the count of a semaphore – it’s pointless, because by the time you have acquired the information (the count), it can have changed = become meaningless.)
Actually, I would go farther than that – with precious few exceptions, you should simply never, ever use ZwSuspendThread. The exceptions generally involve implementing debuggers. Good designs synchronize threads through mutually-agreed protocols, such as IRP completion, events, APCs, etc.
Again, I know that’s not a satisfying answer – no one likes to be told “bad question!” instead of “here’s the answer.” But it’s a bad question. What are you really trying to do? What problem are you trying to solve?
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Monday, March 19, 2007 9:58 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] getting SuspendCount of a thread
Hi, anybody knows a good way to get the SuspendCount of a thread ? I know I
can call (Zw)SuspendThread or (Zw)ResumeThread to obtain this info but this
has the side effect of suspending or resuming the thread. I also know it is
part of the ETHREAD structure but I am not supposed to touch that or am I ?
Does somebody know of a better way ? Thanks
/Daniel
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
There is a Sysinternals utility out there “Process Explorer”, a task manager
which allows users to suspend / resume processes. My product cannot afford
to have one of its processes suspended. What I really would like is call
WaitForSingleObject and get signalled as soon as my thread / process gets
suspended.
/Daniel
“Arlie Davis” wrote in message
news:xxxxx@ntdev…
Again, I know that’s not a satisfying answer – no one likes to be told “bad
question!” instead of “here’s the answer.” But it’s a bad question. What
are you really trying to do? What problem are you trying to solve?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Monday, March 19, 2007 9:58 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] getting SuspendCount of a thread
Hi, anybody knows a good way to get the SuspendCount of a thread ? I know I
can call (Zw)SuspendThread or (Zw)ResumeThread to obtain this info but this
has the side effect of suspending or resuming the thread. I also know it is
part of the ETHREAD structure but I am not supposed to touch that or am I ?
Does somebody know of a better way ? Thanks
/Daniel
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
This is a losing battle. What if I attach a debugger and suspend the
thread? Since Process Explorer must run with sufficient rights to do
this, they can do a lot more to your process then just suspend the
thread. Document that this should not be done and leave it be.
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Monday, March 19, 2007 9:37 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] getting SuspendCount of a thread
There is a Sysinternals utility out there “Process Explorer”, a task
manager
which allows users to suspend / resume processes. My product cannot
afford
to have one of its processes suspended. What I really would like is call
WaitForSingleObject and get signalled as soon as my thread / process
gets
suspended.
/Daniel
“Arlie Davis” wrote in message
news:xxxxx@ntdev…
Again, I know that’s not a satisfying answer – no one likes to be told
“bad
question!” instead of “here’s the answer.” But it’s a bad question.
What
are you really trying to do? What problem are you trying to solve?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Monday, March 19, 2007 9:58 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] getting SuspendCount of a thread
Hi, anybody knows a good way to get the SuspendCount of a thread ? I
know I
can call (Zw)SuspendThread or (Zw)ResumeThread to obtain this info but
this
has the side effect of suspending or resuming the thread. I also know it
is
part of the ETHREAD structure but I am not supposed to touch that or am
I ?
Does somebody know of a better way ? Thanks
/Daniel
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Daniel Terhell wrote:
There is a Sysinternals utility out there “Process Explorer”, a task manager
which allows users to suspend / resume processes. My product cannot afford
to have one of its processes suspended.
Well, then, put a statement in your product’s documentation that says
“don’t suspend any of our processes, it would be bad.”
Look for a moment at the cost/benefit ratio of what you are proposing.
Only the most hard core amongst your users will even know about Process
Explorer. As a hard core user, I’ve used Process Explorer many times,
and I have never used it to suspend a process. If I *did* suspend a
process, I would do so because I was chasing a problem and I wanted it
to suspend, damn it. If that causes one of my add-in devices to blows a
gasket, it’s my own fault. It’s my computer, and you did warn me.
It’s not worth worrying about.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
The only defense against ZwSuspendThread is ACLs. If you are trying to build a product that defends itself against malicious software, and your attacker has access to your process, then the game is up. There is absolutely nothing you can do to defend from a process that has the proper access, because that’s the point of access controls, right? If the attacker already has the keys, you’re dead.
Even if you can think up a way to defend against ZwSuspendThread (and you can’t), there are a thousand and one other ways for one process to disrupt another, if it has sufficient access rights. By default, processes running with the same credentials can do pretty much anything to each other – read/write private process memory (even without voluntary shared memory calls), termination, loading and executing arbitrary code, etc. And processes running with Administrator rights, or equivalent, can do nearly anything to any process.
If you think this is an implementation flaw, it isn’t – this behavior is by design. On NT, ACLs define and enforce security boundaries; there is no finer-grained access control (* but see below re Vista). If you think this is a design flaw, well, that’s arguable, but this isn’t really the forum for it. Until recently, access control in most commodity operating systems has been based on the model of protecting users from each other, and protecting the base OS from users. In other words, the granularity of access control is per-user. The trend recently is toward finer-grained access control; protecting users from apps, web sites, etc.
But again, this is not the forum for this; a security research / design forum would be. There is some progress toward finer-grained access control in Vista, in UAC and in the “protected” process model.
If I have misunderstood your need, then please adjust my understanding and elucidate. But if my understanding is accurate, that you want to defend a process from other processes that are assumed to be running with the same user rights, or with Admin rights – give up. It’s impossible. Your only viable approach is to run your product with Admin rights, or LocalSystem, which is equivalent (not really, but enough for this discussion). This will defend your process from non-Admin users, but not from Admin users. Which, really, should not surprise anyone – Admin means “owns the machine, can do anything,” not “bean counter who signed the PO for this box.”
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Monday, March 19, 2007 12:37 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] getting SuspendCount of a thread
There is a Sysinternals utility out there “Process Explorer”, a task manager
which allows users to suspend / resume processes. My product cannot afford
to have one of its processes suspended. What I really would like is call
WaitForSingleObject and get signalled as soon as my thread / process gets
suspended.
/Daniel
“Arlie Davis” wrote in message
news:xxxxx@ntdev…
Again, I know that’s not a satisfying answer – no one likes to be told “bad
question!” instead of “here’s the answer.” But it’s a bad question. What
are you really trying to do? What problem are you trying to solve?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Monday, March 19, 2007 9:58 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] getting SuspendCount of a thread
Hi, anybody knows a good way to get the SuspendCount of a thread ? I know I
can call (Zw)SuspendThread or (Zw)ResumeThread to obtain this info but this
has the side effect of suspending or resuming the thread. I also know it is
part of the ETHREAD structure but I am not supposed to touch that or am I ?
Does somebody know of a better way ? Thanks
/Daniel
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Thanks, unfortunately things are not as simple as you and I have put them. I
have more reasons why I need to know the suspendcount of a thread and I do
not feel like elaborating on them here, I admit that the example I gave was
not a very good one. Also I am not at into a moral disucssion about what is
good or bad, I know what my responsabilities are. Let me say my app is one
of those " precious few exceptions" that you talk about. I also know how to
get the suspendCount of a thread, (Zw)ResumeThread offers an optional
SuspendCount parameter which gives you just that, I just hoped there was
another way and I could get a quick and simple answer.
/Daniel
“Arlie Davis” wrote in message
news:xxxxx@ntdev…
The only defense against ZwSuspendThread is ACLs. If you are trying to
build a product that defends itself against malicious software, and your
attacker has access to your process, then the game is up. There is
absolutely nothing you can do to defend from a process that has the proper
access, because that’s the point of access controls, right? If the attacker
already has the keys, you’re dead.
Even if you can think up a way to defend against ZwSuspendThread (and you
can’t), there are a thousand and one other ways for one process to disrupt
another, if it has sufficient access rights. By default, processes running
with the same credentials can do pretty much anything to each other –
read/write private process memory (even without voluntary shared memory
calls), termination, loading and executing arbitrary code, etc. And
processes running with Administrator rights, or equivalent, can do nearly
anything to any process.
If you think this is an implementation flaw, it isn’t – this behavior is by
design. On NT, ACLs define and enforce security boundaries; there is no
finer-grained access control (* but see below re Vista). If you think this
is a design flaw, well, that’s arguable, but this isn’t really the forum for
it. Until recently, access control in most commodity operating systems has
been based on the model of protecting users from each other, and protecting
the base OS from users. In other words, the granularity of access control
is per-user. The trend recently is toward finer-grained access control;
protecting users from apps, web sites, etc.
But again, this is not the forum for this; a security research / design
forum would be. There is some progress toward finer-grained access control
in Vista, in UAC and in the “protected” process model.
If I have misunderstood your need, then please adjust my understanding and
elucidate. But if my understanding is accurate, that you want to defend a
process from other processes that are assumed to be running with the same
user rights, or with Admin rights – give up. It’s impossible. Your only
viable approach is to run your product with Admin rights, or LocalSystem,
which is equivalent (not really, but enough for this discussion). This will
defend your process from non-Admin users, but not from Admin users. Which,
really, should not surprise anyone – Admin means “owns the machine, can do
anything,” not “bean counter who signed the PO for this box.”
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Monday, March 19, 2007 12:37 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] getting SuspendCount of a thread
There is a Sysinternals utility out there “Process Explorer”, a task manager
which allows users to suspend / resume processes. My product cannot afford
to have one of its processes suspended. What I really would like is call
WaitForSingleObject and get signalled as soon as my thread / process gets
suspended.
/Daniel
“Arlie Davis” wrote in message
news:xxxxx@ntdev…
Again, I know that’s not a satisfying answer – no one likes to be told “bad
question!” instead of “here’s the answer.” But it’s a bad question. What
are you really trying to do? What problem are you trying to solve?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Monday, March 19, 2007 9:58 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] getting SuspendCount of a thread
Hi, anybody knows a good way to get the SuspendCount of a thread ? I know I
can call (Zw)SuspendThread or (Zw)ResumeThread to obtain this info but this
has the side effect of suspending or resuming the thread. I also know it is
part of the ETHREAD structure but I am not supposed to touch that or am I ?
Does somebody know of a better way ? Thanks
/Daniel
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> Also I am not at into a moral disucssion about what is
good or bad, I know what my responsabilities are. Let me say my app is one
of those " precious few exceptions" that you talk about.
Well, in our opinion, our applications/drivers are always " precious exceptions", don’t you think???
“Comedy” begins when 2 such " precious exceptions" start fighting with one another for the place in a call chain. Furthermore, I am not sure that, in user’s opinion, your app is so “exceptional”. Therefore, things are not necessarily as simple as you are trying to present them…
Certainly, your problem has quite an easy solution if you don’t mind writing a simple driver, but I don’t think Admin users will be too happy about it - to be honest, I am not a great fan of the idea of being unable to do anything about some certain process on my machine, regardless of my privilege level. Therefore, I am not going to tell you how to do it…
Anton Bassov
xxxxx@hotmail.com wrote:
Therefore, I am not going to tell you how to do it…
And another curmudgeon rides the bus… 
I think I am getting into a quandary myself.
In some cases (probably this one…) a developer may think he or she needs
some special feature or insight that we know will cause problems if released
into the wild. In this case, the information shouldn’t be released because
we will be shooting ourselves (and all users of the “exceptional” product)
in the foot.
In other cases the same information may be needed for special purposes
(e.g., in-house test equipment) in controlled environments. Should the
reputable developer who has special needs be blown off and left hanging?
How do we distinguish between these cases?
Thomas F. Divine
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-281342-
xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Thursday, March 22, 2007 4:31 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] getting SuspendCount of a thread> Also I am not at into a moral disucssion about what is
> good or bad, I know what my responsabilities are. Let me say my app is
one
> of those " precious few exceptions" that you talk about.Well, in our opinion, our applications/drivers are always " precious
exceptions", don’t you think???
“Comedy” begins when 2 such " precious exceptions" start fighting with one
another for the place in a call chain. Furthermore, I am not sure that,
in user’s opinion, your app is so “exceptional”. Therefore, things are not
necessarily as simple as you are trying to present them…Certainly, your problem has quite an easy solution if you don’t mind
writing a simple driver, but I don’t think Admin users will be too happy
about it - to be honest, I am not a great fan of the idea of being unable
to do anything about some certain process on my machine, regardless of my
privilege level. Therefore, I am not going to tell you how to do it…Anton Bassov
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I don’t think you can, so you have to make a judgment call regarding the
potential harm from the misuse of the information. In this case the
potential harm is limited to a shitty product, unless I am missing
something, so you should just cut’n’paste Mr. Burn’s “let me know what
this crappy product is called so I can warn everyone I know to never use
it” or something like that.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Thursday, March 22, 2007 10:29 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] getting SuspendCount of a thread
I think I am getting into a quandary myself.
In some cases (probably this one…) a developer may think he or she
needs
some special feature or insight that we know will cause problems if
released
into the wild. In this case, the information shouldn’t be released
because
we will be shooting ourselves (and all users of the “exceptional”
product)
in the foot.
In other cases the same information may be needed for special purposes
(e.g., in-house test equipment) in controlled environments. Should the
reputable developer who has special needs be blown off and left hanging?
How do we distinguish between these cases?
Thomas F. Divine
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-281342-
xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Thursday, March 22, 2007 4:31 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] getting SuspendCount of a thread> Also I am not at into a moral disucssion about what is
> good or bad, I know what my responsabilities are. Let me say my app
is
one
> of those " precious few exceptions" that you talk about.Well, in our opinion, our applications/drivers are always " precious
exceptions", don’t you think???
“Comedy” begins when 2 such " precious exceptions" start fighting with
one
another for the place in a call chain. Furthermore, I am not sure
that,
in user’s opinion, your app is so “exceptional”. Therefore, things are
not
necessarily as simple as you are trying to present them…Certainly, your problem has quite an easy solution if you don’t mind
writing a simple driver, but I don’t think Admin users will be too
happy
about it - to be honest, I am not a great fan of the idea of being
unable
to do anything about some certain process on my machine, regardless of
my
privilege level. Therefore, I am not going to tell you how to do
it…Anton Bassov
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> In this case the potential harm is limited to a shitty product
Actually, I am not so sure that it is meant to be a product, in the first place - there is a good chance that this “product” is meant to be installed and run on your machine without your knowledge… Otherwise, I think I would tell the OP what can be done (with appropriate warnings, of course)
Let’s face it - if you don’t want a process to run on your machine, you can just terminate it, and that’s it. Therefore, if his product is meant to run as a separate process, the OP is just looking for the wrong type of solution. However, if this “product” is meant to run in context of some other process and the OP is sure that this process is not going to be terminated… well, in this case the OP’s approach becomes understandable - he just wants to make sure that his thread cannot be suspended/terminated even if it gets detected via the Process Explorer…
Anton Bassov
Thomas,
In other cases the same information may be needed for special purposes
(e.g., in-house test equipment) in controlled environments. Should the
reputable developer who has special needs be blown off and left hanging?
Certainly, we should judge things on case-by-case basis - after all, as they say, “rules are for the obedience of fools and guidance of wise men” …
Sometimes it is hard to make a clear distinction between legitimate and illegitimate use of this or that technique, as well as between “good” software and malware. However, there are 2 features that will never be found in any “good” software (actually, they are both just meaningless for someone who writes a product for in-house use):
Therefore, whenever you see a question about how one of the above can be done, you can be pretty sure that the OP’s objectives are “not that innocent”, so to say…
Anton Bassov
Yes you are missing something but unfortunately it is not ready yet. My
company dispenses with you or any experts approval or judgement. It is just
not in my interest to discuss the internals of my new product here. I am
developing a very cool utility which has every right of existence and every
right to know the suspend count of a thread but I have a responsability
towards myself, our users and customers only. Feel free to discuss the
merits of my product or the techniques it uses when it will be ready or at
least announced.
Thank you,
/Daniel
“Roddy, Mark” wrote in message news:xxxxx@ntdev…
I don’t think you can, so you have to make a judgment call regarding the
potential harm from the misuse of the information. In this case the
potential harm is limited to a shitty product, unless I am missing
something, so you should just cut’n’paste Mr. Burn’s “let me know what
this crappy product is called so I can warn everyone I know to never use
it” or something like that.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Thursday, March 22, 2007 10:29 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] getting SuspendCount of a thread
I think I am getting into a quandary myself.
In some cases (probably this one…) a developer may think he or she
needs
some special feature or insight that we know will cause problems if
released
into the wild. In this case, the information shouldn’t be released
because
we will be shooting ourselves (and all users of the “exceptional”
product)
in the foot.
In other cases the same information may be needed for special purposes
(e.g., in-house test equipment) in controlled environments. Should the
reputable developer who has special needs be blown off and left hanging?
How do we distinguish between these cases?
Thomas F. Divine
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-281342-
> xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
> Sent: Thursday, March 22, 2007 4:31 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] getting SuspendCount of a thread
>
> > Also I am not at into a moral disucssion about what is
> > good or bad, I know what my responsabilities are. Let me say my app
is
> one
> > of those " precious few exceptions" that you talk about.
>
> Well, in our opinion, our applications/drivers are always " precious
> exceptions", don’t you think???
> “Comedy” begins when 2 such " precious exceptions" start fighting with
one
> another for the place in a call chain. Furthermore, I am not sure
that,
> in user’s opinion, your app is so “exceptional”. Therefore, things are
not
> necessarily as simple as you are trying to present them…
>
>
> Certainly, your problem has quite an easy solution if you don’t mind
> writing a simple driver, but I don’t think Admin users will be too
happy
> about it - to be honest, I am not a great fan of the idea of being
unable
> to do anything about some certain process on my machine, regardless of
my
> privilege level. Therefore, I am not going to tell you how to do
it…
>
> Anton Bassov
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
[FLAME MODE ON]
Daniel Terhell wrote:
My company dispenses with you or any experts approval or judgement.
Then why are you posting if you don’t care what the EXPERTS have too
say? Mark is one of the
few DDK MVP’s worldwide - although you may disagree with him,
his opinion is something to listen too and consider, not ‘dispense’.
It is just
not in my interest to discuss the internals of my new product here.
Then why are you asking a question regarding the internals of your
gee-wiz product?
I am developing a very cool utility
Let me guess, as Tim put it, you’ re “Adding Value”?
I have a responsability towards myself, our users and customers only.
There are only two entities here… (you being one of them)
Feel free to discuss the
merits of my product or the techniques it uses when it will be ready or at
least announced.
I’ll be looking forward too it - just be warned. In my usual style I’ll
be fashionably late to your release party.
(as I’m sure everyone here will be as well)
[FLAME MODE OFF]
With his detrimental prejudice he classified my product as shitty while he
does not even know what it does or where or when it will be used. Expert or
not, as far as I am concerned he can go and wash his fingers, assuming he
was using a keyboard to produce this arrogance.
Of course some of the replies here do have a point, suspending threads which
are not yours is a dangerous business and could well hang up a system.
Therefore getting to know the suspend counts of threads is also potentially
dangerous. And I regret the inital answer I gave to the question why I
needed this which was not a complete and totally honest answer.
However statements such as “designs that need to know the suspend count are
inherently broken” are nothing more than general rules of thumb. For example
Sysinternals Process Explorer knows exactly what processes are suspended in
the system, it likely gets this information by querying the suspend counts
of threads. At this point the discussion
will probably be taken to something like “yes but at least they are from
Microsoft” or “yes but these guys at least really know what they are doing”.
Of course we will allow an exception for them but what is apparent to me is
that the highest gurus are often using the most controversial dirty hacks
themselves.
Now I also have incredible kernel development skills and I am really old and
wise enough to take the responsability to make decisions like these myself.
Like I said before I do not want to publish here what I am creating because
my customers may be reading along. The code I am writing is only being run
under very exceptional conditions when the user chooses to do so. Querying
the suspend count of threads is logically justified in this case, more I
really do not want to say.
I was asking for a simple technical question, really nothing more and
nothing less. This does not mean I am obliged to subject myself to a moral
investigation and be forced to publish the details of my new product which I
prefer to keep secret for the moment. Does it make sense ?
/Daniel
“MM” wrote in message news:xxxxx@ntdev…
> [FLAME MODE ON]
>
> Daniel Terhell wrote:
>
>>My company dispenses with you or any experts approval or judgement.
> Then why are you posting if you don’t care what the EXPERTS have too say?
> Mark is one of the
> few DDK MVP’s worldwide - although you may disagree with him,
> his opinion is something to listen too and consider, not ‘dispense’.
>
>>It is just not in my interest to discuss the internals of my new product
>>here.
> Then why are you asking a question regarding the internals of your gee-wiz
> product?
>
>>I am developing a very cool utility
> Let me guess, as Tim put it, you’ re “Adding Value”?
>
>>I have a responsability towards myself, our users and customers only.
> There are only two entities here… (you being one of them)
>
>>Feel free to discuss the merits of my product or the techniques it uses
>>when it will be ready or at least announced.
>>
> I’ll be looking forward too it - just be warned. In my usual style I’ll be
> fashionably late to your release party.
> (as I’m sure everyone here will be as well)
>
> [FLAME MODE OFF]
>
>
You were badly treated. “Why would you want to do that?” is normally
an absolute “I don’t know the answer”. I have dealt with hardware
manufacturers who have asked the “Why” question. It was particularly
annoying when it was documented wrongly and the chip actually didn’t
support the functionality in any way. Same for software. IFS could be
called a fraud under these simple conditions. Why would you possibly
want to do anything that the buggy samples can’t?
Well because we paid money for something to do it.
I wish this list wasn’t full of “you are an idiot because you don’t do it the
only way it works” - which we won’t tell you - and you believe the
documentation instead.
Too many dead ends taking “maybe this will work” hints.
This is not computer science, it’s nonsense.
brucee
On 3/26/07, Daniel Terhell wrote:
> With his detrimental prejudice he classified my product as shitty while he
> does not even know what it does or where or when it will be used. Expert or
> not, as far as I am concerned he can go and wash his fingers, assuming he
> was using a keyboard to produce this arrogance.
>
> Of course some of the replies here do have a point, suspending threads which
> are not yours is a dangerous business and could well hang up a system.
> Therefore getting to know the suspend counts of threads is also potentially
> dangerous. And I regret the inital answer I gave to the question why I
> needed this which was not a complete and totally honest answer.
>
> However statements such as “designs that need to know the suspend count are
> inherently broken” are nothing more than general rules of thumb. For example
> Sysinternals Process Explorer knows exactly what processes are suspended in
> the system, it likely gets this information by querying the suspend counts
> of threads. At this point the discussion
> will probably be taken to something like “yes but at least they are from
> Microsoft” or “yes but these guys at least really know what they are doing”.
> Of course we will allow an exception for them but what is apparent to me is
> that the highest gurus are often using the most controversial dirty hacks
> themselves.
>
> Now I also have incredible kernel development skills and I am really old and
> wise enough to take the responsability to make decisions like these myself.
> Like I said before I do not want to publish here what I am creating because
> my customers may be reading along. The code I am writing is only being run
> under very exceptional conditions when the user chooses to do so. Querying
> the suspend count of threads is logically justified in this case, more I
> really do not want to say.
>
> I was asking for a simple technical question, really nothing more and
> nothing less. This does not mean I am obliged to subject myself to a moral
> investigation and be forced to publish the details of my new product which I
> prefer to keep secret for the moment. Does it make sense ?
>
> /Daniel
>
>
>
> “MM” wrote in message news:xxxxx@ntdev…
> > [FLAME MODE ON]
> >
> > Daniel Terhell wrote:
> >
> >>My company dispenses with you or any experts approval or judgement.
> > Then why are you posting if you don’t care what the EXPERTS have too say?
> > Mark is one of the
> > few DDK MVP’s worldwide - although you may disagree with him,
> > his opinion is something to listen too and consider, not ‘dispense’.
> >
> >>It is just not in my interest to discuss the internals of my new product
> >>here.
> > Then why are you asking a question regarding the internals of your gee-wiz
> > product?
> >
> >>I am developing a very cool utility
> > Let me guess, as Tim put it, you’ re “Adding Value”?
> >
> >>I have a responsability towards myself, our users and customers only.
> > There are only two entities here… (you being one of them)
> >
> >>Feel free to discuss the merits of my product or the techniques it uses
> >>when it will be ready or at least announced.
> >>
> > I’ll be looking forward too it - just be warned. In my usual style I’ll be
> > fashionably late to your release party.
> > (as I’m sure everyone here will be as well)
> >
> > [FLAME MODE OFF]
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
> However statements such as "designs that need to know the suspend count are
inherently broken" are nothing more than general rules of thumb.
For example
Sysinternals Process Explorer knows exactly what processes are suspended in
the system, it likely gets this information by querying the suspend counts
of threads. At this point the discussion will probably be taken to something like “yes
but at least they are from Microsoft” or “yes but these guys at least really know what
they are doing”.
You just don’t even understand what we are saying…
No one really minds querying it, even if it is done by some undocumented API call. However, you asked us about something totally different - you asked us how how to *prevent* a thread being suspended by a user with Admin privileges. Normally such things are done only by malware - after all, Admins are supposed to do whatever they want on their own machines, so that “good” software
does not try to stand in their way. This is the only reason why you got a bit of hard time…
Actually, you are just obsessed with suspend count…
FYI, there is no need to know it for discovering thread’s execution state - this info is available via ZwQuerySystemInformation(), infoclass 5. If you want to prevent thread from being suspended, you don’t need to deal with its suspend count either…
Now I also have incredible kernel development skills…
LOL. If you are such a “guru”, why do you ask us for help then??? In fact, your questions strongly suggests exactly the opposeite - the stuff you ask us about is just basic…
Anton Bassov
wrote in message news:xxxxx@ntdev…
> No one really minds querying it, even if it is done by some undocumented
> API call. However, you asked us about something totally different - you
> asked us how how to prevent a thread being suspended by a user with
> Admin privileges. Normally such things are done only by malware - after
> all, Admins are supposed to do whatever they want on their own machines,
> so that “good” software
> does not try to stand in their way. This is the only reason why you got a
> bit of hard time…
>
As I said three times now I regret having said that and it was not the real
reason I was asking about it. I give this as an answer to the question why I
needed this. Of course it is a losing battle. However one could argue that
if you are launching rockets or develop life supporting equipment it could
be acceptable to build in a higher threshold even for administrators to
suspend things like that.
> Actually, you are just obsessed with suspend count…
>
> FYI, there is no need to know it for discovering thread’s execution
> state - this info is available via ZwQuerySystemInformation(), infoclass
> 5. If you want to prevent thread from being suspended, you don’t need to
> deal with its suspend count either…
Thanks, well at least you give an answer, that’s noble. I have been looking
there but I only found
struct ThreadSysInfo_t {
LARGE_INTEGER ThreadKernelTime;
LARGE_INTEGER ThreadUserTime;
LARGE_INTEGER ThreadCreateTime;
ULONG TickCount;
ULONG StartEIP;
CLIENT_ID ClientId;
ULONG DynamicPriority;
ULONG BasePriority;
ULONG nSwitches;
ULONG Unknown;
KWAIT_REASON WaitReason;
}THREADSYSINFO, *PTHREADSYSINFO;
Are you sure it is in here ? Which member gives me this information, if you
don’t mind ?
>
>> Now I also have incredible kernel development skills…
>
> LOL. If you are such a “guru”, why do you ask us for help then??? In
> fact, your questions strongly suggests exactly the opposeite - the stuff
> you ask us about is just basic…
>
I never said I was a guru, I only said I have strong skills but I am not
ashamed or too proud to ask a question here and don’t see why I should.
/Daniel
> I was asking for a simple technical question, really nothing more
and nothing less. This does not mean I am obliged to subject myself
to a moral investigation and be forced to publish the details of my
new product which I prefer to keep secret for the moment. Does
it make sense ?
New here, eh? Read the archives; plenty of people meet plenty of skepticism about the inquiries they post here.
In many cases, the skepticism is justified, because a junior programmer is asking a question that a senior programmer recognizes as a sign of a defective *design*, not just benign ignorance on how to do a particular thing. For example, if someone asks how they can lower a thread’s IRQL from “dispatch” to “passive” (without having first raised it themselves), a senior programmer recognizes that the person is asking the equivalent of “I have bazooka. Where is my foot, and how do I blow it off?”
And in a much smaller number of cases, the skepticism has been justified because people have built malicious software, sometimes committing serious crimes, using the information gained. No one here wants to be a part of that.
So don’t play the victim here. You asked a question, were given reasonable answers, and retorted that the answers do not apply to you, for reasons that you refuse to provide. Fine – your privacy is your own. But your secretiveness does not inspire confidence in the people whom you have asked for advice. So suck it up, and either be a little more “honest” (your own words), or seek another source of information.
[As always, I do not speak for my employer.]
From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of Daniel Terhell [xxxxx@resplendence.com]
Sent: Sunday, March 25, 2007 10:52 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] getting SuspendCount of a thread
With his detrimental prejudice he classified my product as shitty while he
does not even know what it does or where or when it will be used. Expert or
not, as far as I am concerned he can go and wash his fingers, assuming he
was using a keyboard to produce this arrogance.
Of course some of the replies here do have a point, suspending threads which
are not yours is a dangerous business and could well hang up a system.
Therefore getting to know the suspend counts of threads is also potentially
dangerous. And I regret the inital answer I gave to the question why I
needed this which was not a complete and totally honest answer.
However statements such as “designs that need to know the suspend count are
inherently broken” are nothing more than general rules of thumb. For example
Sysinternals Process Explorer knows exactly what processes are suspended in
the system, it likely gets this information by querying the suspend counts
of threads. At this point the discussion
will probably be taken to something like “yes but at least they are from
Microsoft” or “yes but these guys at least really know what they are doing”.
Of course we will allow an exception for them but what is apparent to me is
that the highest gurus are often using the most controversial dirty hacks
themselves.
Now I also have incredible kernel development skills and I am really old and
wise enough to take the responsability to make decisions like these myself.
Like I said before I do not want to publish here what I am creating because
my customers may be reading along. The code I am writing is only being run
under very exceptional conditions when the user chooses to do so. Querying
the suspend count of threads is logically justified in this case, more I
really do not want to say.
I was asking for a simple technical question, really nothing more and
nothing less. This does not mean I am obliged to subject myself to a moral
investigation and be forced to publish the details of my new product which I
prefer to keep secret for the moment. Does it make sense ?
/Daniel
“MM” wrote in message news:xxxxx@ntdev…
> [FLAME MODE ON]
>
> Daniel Terhell wrote:
>
>>My company dispenses with you or any experts approval or judgement.
> Then why are you posting if you don’t care what the EXPERTS have too say?
> Mark is one of the
> few DDK MVP’s worldwide - although you may disagree with him,
> his opinion is something to listen too and consider, not ‘dispense’.
>
>>It is just not in my interest to discuss the internals of my new product
>>here.
> Then why are you asking a question regarding the internals of your gee-wiz
> product?
>
>>I am developing a very cool utility
> Let me guess, as Tim put it, you’ re “Adding Value”?
>
>>I have a responsability towards myself, our users and customers only.
> There are only two entities here… (you being one of them)
>
>>Feel free to discuss the merits of my product or the techniques it uses
>>when it will be ready or at least announced.
>>
> I’ll be looking forward too it - just be warned. In my usual style I’ll be
> fashionably late to your release party.
> (as I’m sure everyone here will be as well)
>
> [FLAME MODE OFF]
>
>
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer