> Yes, I’m sorry because my title says “handle” and I’m trying to get the
thread ID.
Well, so summarizing my question is: how can I get the Thread ID of a
process, in user mode is obtained via CreateToolhelp32Snapshot +
Thread32First/Thread32Next ( the th32ThreadID member of the THREADENTRY32
structure ). so I’m trying get that information via
NtquerySystemInformation because these functions use it, but without
success.
In re-reading your question, there is a deep and fundamental failure. You
can’t get THE thead ID of a process because each process can have MANY
threads, and it is very important to understand that NONE of the threads
currently listed in the process might be the “original” thread whose
handle was returned from the CreateProcess call, although there might be a
thread with that same ID in the process, or a thread of that ID might now
exist in a completely different process. The only guarantee you have
about a thread ID is that at any instant of time it is a value distinct
from all other simultaneously-existing threads. And note that thread
termination will free up that value to be recycled ONLY when the
underlying kernel thread object is deleted. The object is not deleted
until its reference count goes to zero, which requires that (a) the thread
has terminated and (note “and”) (b) all outstanding handles to the thread
have been closed.
Ditto for process IDs.
So if you record an event for a given pair, you have absolutely
NO IDEA how that correlates with any past or future pair that
have the same numeric values. Bottom line: the OS does not and cannot
provide you with unique representations within a boot session,
and given <pid tid2 …> there is no way to dtermine what the
“main” thread really is, or even if it is in the tid set.
Note that for GUI apps, there is a high probability (but not a guarantee)
that the thread that owns the root window is the “main thread”, maybe,
just possibly, perhaps, but I have seen some instances where a secondary
thread holds all the visible graphical objects. It’s rare, because there
are certain risks to this approach, but you can’t rule it out. Besides,
why should you care which thread is the “main” thread? The concept is
quite meaningless to the OS, which is why there is no good way to discover
it.
Also, note that adding the executable path name does not change this:
<270, B2, msword.exe> may not be the same instance that was previously
described by <270, B2, msword.exe> because the previous instance of Word
may have been exited, and six hours later, when it was again launched, by
the merest coincidence the pid 270 had come around for recycling, and it
also just happened that the thread ID 0xB2 was also recycled. But in the
first instance, 0xB2 was the thread ID of the main thread, and in the
second case it was the background thread of the spellchecker (or something
like that). So what can you tell from a pair in your event log?
Answer: that at the time the event was logged, it was generated by a
given pid and from a specific thread within that process that had the
given tid number. The meaning of these numbers, however, gives you no
correlation between the two entries. There is nothing in the OS that
guarantees uniqueness in any way, such that you can make a meaningful
statement about the relationship of the two entries to each other. You
would have to track the creation and destruction of all processes and
threads to sort this mess out. Your event log would have to have entries
recording the pid and tid for all process and thread creations and
destructions to provide the context for interpretation.
Now, you might say, “Hey, I can inject a DLL and process the four events
there, for thread attach/detach and process attach/detatch.” This won’t
work. Read the fine print. I usually spend about ten minutes in my
Advanced Windows System Programming course explaining why this won’t work,
and I don’t feel like typing it all in tonight. But it won’t allow you to
do what you think it should allow you to do.
joe
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>