How to know a process status: being deleted

I need to know if a process is being deleted.
I have access to EPROCESS and KPROCESS structs.
Where is stored the Status of the process: RUNNING, DELETING, etc,… ?

The debugger seems to get the status without problem but I cannot find where is stored.

How do you have access to the PROCESS structs, they are undocumented and
have changed? Doing anything with these is a great way to crash a system.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Iñaki Castillo” wrote in message
news:xxxxx@ntdev…
I need to know if a process is being deleted.
I have access to EPROCESS and KPROCESS structs.
Where is stored the Status of the process: RUNNING, DELETING, etc,… ?

The debugger seems to get the status without problem but I cannot find where
is stored.

I wonder why some guys answer always with a sentence like that.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Don Burn
Enviado el: viernes, 20 de enero de 2006 18:24
Para: Windows System Software Devs Interest List
Asunto: Re:[ntdev] How to know a process status: being deleted

How do you have access to the PROCESS structs, they are undocumented and
have changed? Doing anything with these is a great way to crash a system.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“I?aki Castillo” wrote in message
news:xxxxx@ntdev…
I need to know if a process is being deleted.
I have access to EPROCESS and KPROCESS structs.
Where is stored the Status of the process: RUNNING, DELETING, etc,… ?

The debugger seems to get the status without problem but I cannot find where
is stored.


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@pandasoftware.es
To unsubscribe send a blank email to xxxxx@lists.osr.com

Because Grasshopper, some questions are asked out of ignorance, without
knowledge that there may be a proper path.

Gary G. Little

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@pandasoftware.es
Sent: Friday, January 20, 2006 11:30 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to know a process status: being deleted

I wonder why some guys answer always with a sentence like that.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Don Burn
Enviado el: viernes, 20 de enero de 2006 18:24
Para: Windows System Software Devs Interest List
Asunto: Re:[ntdev] How to know a process status: being deleted

How do you have access to the PROCESS structs, they are undocumented and
have changed? Doing anything with these is a great way to crash a system.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“I?aki Castillo” wrote in message
news:xxxxx@ntdev…
I need to know if a process is being deleted.
I have access to EPROCESS and KPROCESS structs.
Where is stored the Status of the process: RUNNING, DELETING, etc,… ?

The debugger seems to get the status without problem but I cannot find
where
is stored.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@pandasoftware.es
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

So, i am pretty sure you know the answer, Master !

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de
xxxxx@seagate.com
Enviado el: viernes, 20 de enero de 2006 18:38
Para: Windows System Software Devs Interest List
Asunto: RE: [ntdev] How to know a process status: being deleted

Because Grasshopper, some questions are asked out of ignorance, without
knowledge that there may be a proper path.

Gary G. Little

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@pandasoftware.es
Sent: Friday, January 20, 2006 11:30 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to know a process status: being deleted

I wonder why some guys answer always with a sentence like that.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Don Burn
Enviado el: viernes, 20 de enero de 2006 18:24
Para: Windows System Software Devs Interest List
Asunto: Re:[ntdev] How to know a process status: being deleted

How do you have access to the PROCESS structs, they are undocumented and
have changed? Doing anything with these is a great way to crash a system.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“I?aki Castillo” wrote in message
news:xxxxx@ntdev…
I need to know if a process is being deleted.
I have access to EPROCESS and KPROCESS structs.
Where is stored the Status of the process: RUNNING, DELETING, etc,… ?

The debugger seems to get the status without problem but I cannot find
where
is stored.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@pandasoftware.es
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

I?aki Castillo wrote:

I wonder why some guys answer always with a sentence like that.

Because:
(A) It is true,
(B) Messages from this newsgroup are archived forever,
(C) Newbies greedily gobble up every word of every post looking for The
Divine Truth, and
(D) If no one pointed out patently dangerous behavior, folks reading
this later on wouldn’t know it was dangerous.

I, for one, will not stop pointing out things that I think are dangerous
or silly, no matter how many people scoff at the uselessness of such
responses. I stopped caring about public opinion a long time ago.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Don Burn
Enviado el: viernes, 20 de enero de 2006 18:24
Para: Windows System Software Devs Interest List
Asunto: Re:[ntdev] How to know a process status: being deleted

How do you have access to the PROCESS structs, they are undocumented and
have changed? Doing anything with these is a great way to crash a system.

Here is how to know that a process is ending.
Sign up for PsSetCreateProcessNotifyRoutine. When the process is ending, you will get a call back.
“I?aki Castillo” wrote in message news:xxxxx@ntdev…
I need to know if a process is being deleted.
I have access to EPROCESS and KPROCESS structs.
Where is stored the Status of the process: RUNNING, DELETING, etc,… ?

The debugger seems to get the status without problem but I cannot find where is stored.

> I need to know if a process is being deleted.
Off topic for a kernel list, but there are at least 2 user-mode solutions, each with its own pluses-minuses:

  1. if you have debug privileges, you can start/attach to the target process as a debugger and trace the fate of the target (and all its children processes, if needed);

  2. again, if you have enough rights, you can inject your thread in the target process (CreateRemoteThread, see Richter book and sample code) and wait for it to terminate (worse, even if your thread does absolutely nothing).

----- Original Message -----
From: jim
Newsgroups: ntdev
To: Windows System Software Devs Interest List
Sent: Saturday, January 21, 2006 10:20 AM
Subject: Re:[ntdev] How to know a process status: being deleted

Here is how to know that a process is ending.
Sign up for PsSetCreateProcessNotifyRoutine. When the process is ending, you will get a call back.
“I?aki Castillo” wrote in message news:xxxxx@ntdev…
I need to know if a process is being deleted.
I have access to EPROCESS and KPROCESS structs.
Where is stored the Status of the process: RUNNING, DELETING, etc,… ?

The debugger seems to get the status without problem but I cannot find where is stored.


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

There is a third user-mode option - WaitForSingleObject on the process handle.

Beverly


From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@Home
Sent: Saturday, January 21, 2006 11:13 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] How to know a process status: being deleted

I need to know if a process is being deleted.
Off topic for a kernel list, but there are at least 2 user-mode solutions, each with its own pluses-minuses:

  1. if you have debug privileges, you can start/attach to the target process as a debugger and trace the fate of the target (and all its children processes, if needed);

  2. again, if you have enough rights, you can inject your thread in the target process (CreateRemoteThread, see Richter book and sample code) and wait for it to terminate (worse, even if your thread does absolutely nothing).

----- Original Message -----
From: jim mailto:xxxxx
Newsgroups: ntdev
To: Windows System Software Devs Interest List mailto:xxxxx
Sent: Saturday, January 21, 2006 10:20 AM
Subject: Re:[ntdev] How to know a process status: being deleted

Here is how to know that a process is ending.
Sign up for PsSetCreateProcessNotifyRoutine. When the process is ending, you will get a call back.

“I?aki Castillo” wrote in message news:xxxxx@ntdev…
I need to know if a process is being deleted.
I have access to EPROCESS and KPROCESS structs.
Where is stored the Status of the process: RUNNING, DELETING, etc,… ?

The debugger seems to get the status without problem but I cannot find where is stored.


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com</mailto:xxxxx></mailto:xxxxx>

> There is a third user-mode option - WaitForSingleObject on the process handle.
One always forgets to mention the obvious…:slight_smile:

----- Original Message -----
From: Brown, Beverly
To: Windows System Software Devs Interest List
Sent: Monday, January 23, 2006 6:25 PM
Subject: RE: Re:[ntdev] How to know a process status: being deleted

There is a third user-mode option - WaitForSingleObject on the process handle.

Beverly


From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@Home
Sent: Saturday, January 21, 2006 11:13 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] How to know a process status: being deleted

I need to know if a process is being deleted.
Off topic for a kernel list, but there are at least 2 user-mode solutions, each with its own pluses-minuses:

  1. if you have debug privileges, you can start/attach to the target process as a debugger and trace the fate of the target (and all its children processes, if needed);

  2. again, if you have enough rights, you can inject your thread in the target process (CreateRemoteThread, see Richter book and sample code) and wait for it to terminate (worse, even if your thread does absolutely nothing).

----- Original Message -----
From: jim
Newsgroups: ntdev
To: Windows System Software Devs Interest List
Sent: Saturday, January 21, 2006 10:20 AM
Subject: Re:[ntdev] How to know a process status: being deleted

Here is how to know that a process is ending.
Sign up for PsSetCreateProcessNotifyRoutine. When the process is ending, you will get a call back.
“I?aki Castillo” wrote in message news:xxxxx@ntdev…
I need to know if a process is being deleted.
I have access to EPROCESS and KPROCESS structs.
Where is stored the Status of the process: RUNNING, DELETING, etc,… ?

The debugger seems to get the status without problem but I cannot find where is stored.


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com