Problem of process with no active thread

Alex_Li · September 16, 2008, 3:52am

Hi, guys.

I got a problem with my minifilter driver:
I created a winword process and tracked its create & cleanup & read & write operation. After that I closed it(the main window was closed), I found the process was still there and there was no active thread in it.

Why?
Any help will be appreciated!
Thanks in advance!

Here is the analysis snippnet of “!process XXX 7”:

kd> !process fe31ab38 7
PROCESS fe31ab38 SessionId: 0 Cid: 0548 Peb: 7ffde000 ParentCid: 0984
DirBase: 008f0480 ObjectTable: 00000000 HandleCount: 0.
Image: WINWORD.EXE
VadRoot 00000000 Vads 0 Clone 0 Private 7. Modified 10681. Locked 0.
DeviceMap e11c0930
Token e3ab4508
ElapsedTime 00:59:08.593
UserTime 00:01:09.562
KernelTime 00:08:48.828
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (31, 50, 345) (124KB, 200KB, 1380KB)
PeakWorkingSetSize 28870
VirtualSize 338 Mb
PeakVirtualSize 653 Mb
PageFaultCount 1468005
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 0

No active threads

OSR_Community_User · September 16, 2008, 4:04am

> I got a problem with my minifilter driver:

I created a winword process and tracked its create & cleanup & read
& write operation. After that I closed it(the main window was
closed), I found the process was still there and there was no active thread in it.

I guess it’s during cleaning the handle table.

L.

OSR_Community_User · September 16, 2008, 4:05am

Perhaps at some point you are increasing the reference to that process but you are not releasing it ?

-----Mensaje original-----
De: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] En nombre de xxxxx@gmail.com
Enviado el: martes, 16 de septiembre de 2008 9:54
Para: Windows File Systems Devs Interest List
Asunto: [ntfsd] Problem of process with no active thread

Hi, guys.

I got a problem with my minifilter driver:
I created a winword process and tracked its create & cleanup & read & write operation. After that I closed it(the main window was closed), I found the process was still there and there was no active thread in it.

Why?
Any help will be appreciated!
Thanks in advance!

Here is the analysis snippnet of “!process XXX 7”:

kd> !process fe31ab38 7
PROCESS fe31ab38 SessionId: 0 Cid: 0548 Peb: 7ffde000 ParentCid: 0984
DirBase: 008f0480 ObjectTable: 00000000 HandleCount: 0.
Image: WINWORD.EXE
VadRoot 00000000 Vads 0 Clone 0 Private 7. Modified 10681. Locked 0.
DeviceMap e11c0930
Token e3ab4508
ElapsedTime 00:59:08.593
UserTime 00:01:09.562
KernelTime 00:08:48.828
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (31, 50, 345) (124KB, 200KB, 1380KB)
PeakWorkingSetSize 28870
VirtualSize 338 Mb
PeakVirtualSize 653 Mb
PageFaultCount 1468005
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 0

No active threads

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@pandasecurity.com To unsubscribe send a blank email to xxxxx@lists.osr.com

Alex_Li-2 · September 16, 2008, 6:10am

Thanks, guys!

I have fixed it.

I called CreateProcess but I have not closed the handle of the process and
the main thread.

So sorry for this stupid mistake~

Thanks!

Alex.