How to call ZwTerminaterThread() in a kernel driver?

Peng_Hailin · February 22, 2006, 10:24am

There isn’t any declaration of ZwTerminaterThread() in ntdkk.h ,
so calling this function will result in such compiler error:
error C2065: ‘ZwTerminateThread’ : undeclared identifier

So, how to call ZwTerminaterThread() in a kernel driver? Thanks.

OSR_Community_User · February 22, 2006, 11:32am

Simple. You should never need to do this in kernel mode.

What are you trying to achieve? Are you trying to terminate a thread that
you created using PsCreateSystemThread? Doing so is absolutely forbidden,
and is a common FAQ for NT development. Instead, you should be using some
sort of synchronization object (event, APC, etc.) to request that the thread
exit.

Are you trying to terminate a user-mode thread? If so, why?

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Hailin Peng
Sent: Wednesday, February 22, 2006 9:49 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to call ZwTerminaterThread() in a kernel driver?

There isn’t any declaration of ZwTerminaterThread() in ntdkk.h , so calling
this function will result in such compiler error:
error C2065: ‘ZwTerminateThread’ : undeclared identifier

So, how to call ZwTerminaterThread() in a kernel driver? Thanks.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stonestreetone.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Maxim_S_Shatskih · February 25, 2006, 3:26pm

It is better to never ever use TerminateThread, it causes the user stack of
the thread to be leaked.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Hailin Peng”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Wednesday, February 22, 2006 5:49 PM
Subject: [ntdev] How to call ZwTerminaterThread() in a kernel driver?

> There isn’t any declaration of ZwTerminaterThread() in ntdkk.h ,
> so calling this function will result in such compiler error:
> error C2065: ‘ZwTerminateThread’ : undeclared identifier
>
> So, how to call ZwTerminaterThread() in a kernel driver? Thanks.
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Alex_Ionescu-2 · February 25, 2006, 8:17pm

Hi,

That’s not true. Since XP stack cleanup is now done in Kernel Mode
according to a flag in ETHREAD (“CleanupStackOnTerminate or something
like that”).

Best regards,
Alex Ionescu

Maxim S. Shatskih wrote:

It is better to never ever use TerminateThread, it causes the user stack of
the thread to be leaked.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Hailin Peng”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Wednesday, February 22, 2006 5:49 PM
> Subject: [ntdev] How to call ZwTerminaterThread() in a kernel driver?
>
>
>
>>There isn’t any declaration of ZwTerminaterThread() in ntdkk.h ,
>>so calling this function will result in such compiler error:
>> error C2065: ‘ZwTerminateThread’ : undeclared identifier
>>
>>So, how to call ZwTerminaterThread() in a kernel driver? Thanks.
>>
>>
>>
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>
> http://www.osronline.com/article.cfm?id=256
>
>>You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>

OSR_Community_User · February 27, 2006, 10:30am

Regardless, TerminateThread can never guarantee that the process containing
that thread can be left in a consistent state. The thread could be
performing any number of actions, could be modifying data structures
reachable by other threads, could hold locks, etc.

TerminateThread is nearly always the wrong choice. It is *never* the right
choice for a kernel thread. For user-mode code, you might as well just call
TerminateProcess. It’s like removing a persons vital organs – you might as
well just kill the person outright.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alex Ionescu
[397670]
Sent: Saturday, February 25, 2006 8:16 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] How to call ZwTerminaterThread() in a kernel driver?

Hi,

That’s not true. Since XP stack cleanup is now done in Kernel Mode according
to a flag in ETHREAD (“CleanupStackOnTerminate or something like that”).

Best regards,
Alex Ionescu

Maxim S. Shatskih wrote:

It is better to never ever use TerminateThread, it causes the user
stack of the thread to be leaked.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Hailin Peng”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Wednesday, February 22, 2006 5:49 PM
> Subject: [ntdev] How to call ZwTerminaterThread() in a kernel driver?
>
>
>
>>There isn’t any declaration of ZwTerminaterThread() in ntdkk.h , so
>>calling this function will result in such compiler error:
>> error C2065: ‘ZwTerminateThread’ : undeclared identifier
>>
>>So, how to call ZwTerminaterThread() in a kernel driver? Thanks.
>>
>>
>>
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>
> http://www.osronline.com/article.cfm?id=256
>
>>You are currently subscribed to ntdev as: xxxxx@storagecraft.com To
>>unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Alex_Ionescu-2 · February 27, 2006, 9:30pm

Arlie Davis wrote:

Regardless, TerminateThread can never guarantee that the process containing
that thread can be left in a consistent state. The thread could be
performing any number of actions, could be modifying data structures
reachable by other threads, could hold locks, etc.

TerminateThread is nearly always the wrong choice. It is *never* the right
choice for a kernel thread. For user-mode code, you might as well just call
TerminateProcess. It’s like removing a persons vital organs – you might as
well just kill the person outright.

– arlie

Sure, I was never arguing against this, just nitpicking on the explenation.

Terminating a thread should never be done from a driver and is really
bad design, apart from the actual problems it can give rise to.
Unforuanteyl, I’ve even seen some people that terminate worker threads.
Thankfully, the OS bugchecks when you try to do this now.

With the new 2003 kernels, terminating a thread could even lead to a bug
check. You never know if the thread is marked as a “critical thread”.
The flag can even be set from user-mode, AFAIK, and a critical thread
that dies brings down the OS and/or generates a breakpoint, which is
something you don’t want your driver to do on a customer’s machine.

Best regards,
Alex Ionescu