process spawning

amitr0-2 · June 21, 2006, 2:57am

MSDN documentation says Threads are created but not executed until Loading
and Initialization process is over, so that means windows must be using some
sort of event mechanism to trigger this.

Is this true? If so can someone throuw some light on this mechanism?

–

amitr0

OSR_Community_User · June 21, 2006, 4:32am

> MSDN documentation says Threads are created but not executed until

Loading and Initialization process is over, so that means windows must
be using some sort of event mechanism to trigger this.

Is this true? If so can someone throuw some light on this mechanism?
Basically the PE loader will map the image into memory and pass the entry point as the start function of a thread (which was IMO always suspended at that point). The thread is at this point created in suspended state. Once the loader deems initialization successful the thread is resumed. That's it.

The difference between the "types" of threads is, that all Win32 (i.e. those created by CreateThread) have their start address inside kernel32.dll! This is the case because a wrapper exists there (only note the difference in the start routine prototype between Win32 and "native" threads).

Oliver

--

May the source be with you, stranger

ICQ: #281645
URL: http://assarbad.net

Tim_Roberts · June 21, 2006, 12:01pm

amitr0 wrote:

MSDN documentation says Threads are created but not executed until
Loading and Initialization process is over, so that means windows must
be using some sort of event mechanism to trigger this.

Is this true? If so can someone throuw some light on this mechanism?

Adding to what Oliver said, remember that there is only one thread when
a process begins. It’s not like there are a bunch of threads just
itching to start.

Also remember that the CreateThread API has a “start me suspended”
flag. You can start a thread in suspended animation, then call
ResumeThread when you are ready to have it start.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Alan_Adams-1 · June 21, 2006, 12:13pm

amitr0 wrote:

> MSDN documentation says Threads are created but not executed until Loading
> and Initialization process is over, so that means windows must be using some
> sort of event mechanism to trigger this.
>
> Is this true? If so can someone throuw some light on this mechanism?

The Windows Internals book (Russinovich/Solomon) talks about the
activities that occur in response to CreateProcess in relative detail.

The “event” I think you’re referencing is actually a user-mode APC,
which is invoking the loader initialization and becomes executed as
the new thread (including the process initial thread) attempts to
transition from dispatch to passive IRQL. If/when the thread reaches
actual user-mode execution of the user thread start address,
inherently this means the APC for loader initialization has already
executed.

Alan Adams

Maxim_S_Shatskih · June 24, 2006, 6:15pm

> The difference between the “types” of threads is, that all Win32 (i.e. those

created by CreateThread) have their start address inside kernel32.dll! This is

Yes, and IIRC this baseThreadStart entry point will call LdrInitializeThread in
ntdll, and this is where the wait occurs.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com