Process state in PsSetCreateProcessNotifyRoutine & PsSetCreateThreadNotifyRoutine

Mauro_Leggieri-1 · August 7, 2014, 10:37am

Hi, I want to create a driver that does a synchronous notification of process execution but I have some doubts about notification routines.

Please tell me if i’m fine or wrong in these assumptions:

When PsSetCreateProcessNotifyRoutine’s callback is called the process is still not visible from usermode.
When PsSetCreateThreadNotifyRoutine’s callback is called for the process’ main thread, the process is visible from usermode but it no threads are visible from there.

I have a running service that communicates with the driver and want to get notified when a process is started and take some actions on it just before process execution starts.

Hints and other approachs are accepted.

Regards,
Mauro.

OSR_Community_User · August 8, 2014, 11:06pm

Please tell me if i’m fine or wrong in these assumptions:
1) When PsSetCreateProcessNotifyRoutine’s callback is called the process is still not visible from usermode.
2) When PsSetCreateThreadNotifyRoutine’s callback is called for the process’ main thread, the process is visible from usermode but it no threads are visible from there.

You should not make any of these assumptions because the creating/deleting thread migth hold a system reserved lock that may be held as well by a querying user-mode thread. So if your service is querying the list of running process, it should not wait on your callback or their might both hang.

For example, the PsSetLoadImageNotifyRoutine documentation states that a LoadImageNotifyRoutine should not perform any virtual memory related operation in the context of the current process because a lock that protects the virtual address space of the process is held while the callback is running. So a callback should not call ZwMapViewOfSection, ZwUnmapViewOfSection, ZwAllocateVirtualMemory or any API that would lead to the creation, deletion or even query of a virtual address in the current process.

Look at this document, it is interesting for the purpose of calling user mode from kernel mode:

http://insider.osr.com/2013/ntinsider_2013_01.pdf

Rohan_Kumbhar · August 10, 2014, 2:59am

Hi Mauro,

Read the description of CreateProcess api in Windows Internals Pdf.
Both of the above mentioned notify routines execute in blocking mode.
I find your assumptions to be true.

On Sat, Aug 9, 2014 at 8:35 AM, wrote:

>
> Please tell me if i’m fine or wrong in these assumptions:
> 1) When PsSetCreateProcessNotifyRoutine’s callback is called the process
> is still not visible from usermode.
> 2) When PsSetCreateThreadNotifyRoutine’s callback is called for the
> process’ main thread, the process is visible from usermode but it no
> threads are visible from there.
>
>
> You should not make any of these assumptions because the creating/deleting
> thread migth hold a system reserved lock that may be held as well by a
> querying user-mode thread. So if your service is querying the list of
> running process, it should not wait on your callback or their might both
> hang.
>
> For example, the PsSetLoadImageNotifyRoutine documentation states that a
> LoadImageNotifyRoutine should not perform any virtual memory related
> operation in the context of the current process because a lock that
> protects the virtual address space of the process is held while the
> callback is running. So a callback should not call ZwMapViewOfSection,
> ZwUnmapViewOfSection, ZwAllocateVirtualMemory or any API that would lead to
> the creation, deletion or even query of a virtual address in the current
> process.
>
> Look at this document, it is interesting for the purpose of calling user
> mode from kernel mode:
>
> http://insider.osr.com/2013/ntinsider_2013_01.pdf
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Ken_Johnson · August 10, 2014, 12:11pm

No, that advice is incorrect. The assumptions are invalid in various edge conditions, given the very vague assumptions posited about by the OP. The process object is published to a namespace visible to user mode before the Ps process creation notify callout is invoked. Thread creation callouts are also not necessarily synchronized with one another.

No user mode code will run on a newly created thread before the Ps thread creation notify callout completes for that thread, however.

S (Msft)

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of rohan kumbhar
Sent: Saturday, August 09, 2014 11:59 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Process state in PsSetCreateProcessNotifyRoutine & PsSetCreateThreadNotifyRoutine

Hi Mauro,

Read the description of CreateProcess api in Windows Internals Pdf.
Both of the above mentioned notify routines execute in blocking mode.
I find your assumptions to be true.

On Sat, Aug 9, 2014 at 8:35 AM, > wrote:

Please tell me if i’m fine or wrong in these assumptions:
1) When PsSetCreateProcessNotifyRoutine’s callback is called the process is still not visible from usermode.
2) When PsSetCreateThreadNotifyRoutine’s callback is called for the process’ main thread, the process is visible from usermode but it no threads are visible from there.

You should not make any of these assumptions because the creating/deleting thread migth hold a system reserved lock that may be held as well by a querying user-mode thread. So if your service is querying the list of running process, it should not wait on your callback or their might both hang.

For example, the PsSetLoadImageNotifyRoutine documentation states that a LoadImageNotifyRoutine should not perform any virtual memory related operation in the context of the current process because a lock that protects the virtual address space of the process is held while the callback is running. So a callback should not call ZwMapViewOfSection, ZwUnmapViewOfSection, ZwAllocateVirtualMemory or any API that would lead to the creation, deletion or even query of a virtual address in the current process.

Look at this document, it is interesting for the purpose of calling user mode from kernel mode:

http://insider.osr.com/2013/ntinsider_2013_01.pdf

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Rohan_Kumbhar · August 10, 2014, 1:35pm

Hello Skywing,

I would advice you the same. Read Windows Internals Pdf. Chapter 5.
The advice is not vague. And for the edge conditions please refer reactos
or get Hands source of Windows Research Kernel.

On Sun, Aug 10, 2014 at 9:41 PM, Skywing
wrote:

> No, that advice is incorrect. The assumptions are invalid in various
> edge conditions, given the very vague assumptions posited about by the OP.
> The process object is published to a namespace visible to user mode before
> the Ps process creation notify callout is invoked. Thread creation
> callouts are also not necessarily synchronized with one another.
>
>
>
> No user mode code will run on a newly created thread before the Ps thread
> creation notify callout completes for that thread, however.
>
>
>
> - S (Msft)
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *rohan kumbhar
> Sent: Saturday, August 09, 2014 11:59 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Process state in PsSetCreateProcessNotifyRoutine &
> PsSetCreateThreadNotifyRoutine
>
>
>
> Hi Mauro,
>
>
>
> Read the description of CreateProcess api in Windows Internals Pdf.
>
> Both of the above mentioned notify routines execute in blocking mode.
>
> I find your assumptions to be true.
>
>
>
> On Sat, Aug 9, 2014 at 8:35 AM, wrote:
>
>
>
> Please tell me if i’m fine or wrong in these assumptions:
> 1) When PsSetCreateProcessNotifyRoutine’s callback is called the process
> is still not visible from usermode.
> 2) When PsSetCreateThreadNotifyRoutine’s callback is called for the
> process’ main thread, the process is visible from usermode but it no
> threads are visible from there.
>
>
>
> You should not make any of these assumptions because the creating/deleting
> thread migth hold a system reserved lock that may be held as well by a
> querying user-mode thread. So if your service is querying the list of
> running process, it should not wait on your callback or their might both
> hang.
>
> For example, the PsSetLoadImageNotifyRoutine documentation states that a
> LoadImageNotifyRoutine should not perform any virtual memory related
> operation in the context of the current process because a lock that
> protects the virtual address space of the process is held while the
> callback is running. So a callback should not call ZwMapViewOfSection,
> ZwUnmapViewOfSection, ZwAllocateVirtualMemory or any API that would lead to
> the creation, deletion or even query of a virtual address in the current
> process.
>
> Look at this document, it is interesting for the purpose of calling user
> mode from kernel mode:
>
> http://insider.osr.com/2013/ntinsider_2013_01.pdf
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Don_Burn · August 10, 2014, 1:39pm

Depending on ReactOS for any internals stuff is stupid, it is either speculation or way out of date. Ken (Skywing) is correct here, your assumptions are wrong. Been there done that and have the scars.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of rohan kumbhar
Sent: Sunday, August 10, 2014 1:35 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Process state in PsSetCreateProcessNotifyRoutine & PsSetCreateThreadNotifyRoutine

Hello Skywing,

I would advice you the same. Read Windows Internals Pdf. Chapter 5.
The advice is not vague. And for the edge conditions please refer reactos or get Hands source of Windows Research Kernel.

On Sun, Aug 10, 2014 at 9:41 PM, Skywing wrote:

No, that advice is incorrect. The assumptions are invalid in various edge conditions, given the very vague assumptions posited about by the OP. The process object is published to a namespace visible to user mode before the Ps process creation notify callout is invoked. Thread creation callouts are also not necessarily synchronized with one another.

No user mode code will run on a newly created thread before the Ps thread creation notify callout completes for that thread, however.

- S (Msft)

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of rohan kumbhar
Sent: Saturday, August 09, 2014 11:59 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Process state in PsSetCreateProcessNotifyRoutine & PsSetCreateThreadNotifyRoutine

Hi Mauro,

Read the description of CreateProcess api in Windows Internals Pdf.

Both of the above mentioned notify routines execute in blocking mode.

I find your assumptions to be true.

On Sat, Aug 9, 2014 at 8:35 AM, wrote:

Please tell me if i’m fine or wrong in these assumptions:
1) When PsSetCreateProcessNotifyRoutine’s callback is called the process is still not visible from usermode.
2) When PsSetCreateThreadNotifyRoutine’s callback is called for the process’ main thread, the process is visible from usermode but it no threads are visible from there.

You should not make any of these assumptions because the creating/deleting thread migth hold a system reserved lock that may be held as well by a querying user-mode thread. So if your service is querying the list of running process, it should not wait on your callback or their might both hang.

For example, the PsSetLoadImageNotifyRoutine documentation states that a LoadImageNotifyRoutine should not perform any virtual memory related operation in the context of the current process because a lock that protects the virtual address space of the process is held while the callback is running. So a callback should not call ZwMapViewOfSection, ZwUnmapViewOfSection, ZwAllocateVirtualMemory or any API that would lead to the creation, deletion or even query of a virtual address in the current process.

Look at this document, it is interesting for the purpose of calling user mode from kernel mode:

http://insider.osr.com/2013/ntinsider_2013_01.pdf

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev http:

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer http:

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev http: OSR is HIRING!! See http://www.osr.com/careers http: For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</http:></http:></http:></http:>

Rohan_Kumbhar · August 10, 2014, 2:00pm

Hi Burn,

Ok fine, take out reactos from the discussion. what about the algorithm
published in windows internals??
It clearly describes the blocking nature of the callbacks stated in this
discussion.

On Sun, Aug 10, 2014 at 11:09 PM, Don Burn wrote:

> Depending on ReactOS for any internals stuff is stupid, it is either
> speculation or way out of date. Ken (Skywing) is correct here, your
> assumptions are wrong. Been there done that and have the scars.
>
>
> Don Burn
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
>
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] On Behalf Of rohan kumbhar
> Sent: Sunday, August 10, 2014 1:35 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Process state in PsSetCreateProcessNotifyRoutine &
> PsSetCreateThreadNotifyRoutine
>
> Hello Skywing,
>
> I would advice you the same. Read Windows Internals Pdf. Chapter 5.
> The advice is not vague. And for the edge conditions please refer reactos
> or get Hands source of Windows Research Kernel.
>
>
> On Sun, Aug 10, 2014 at 9:41 PM, Skywing
> wrote:
>
>
> No, that advice is incorrect. The assumptions are invalid in
> various edge conditions, given the very vague assumptions posited about by
> the OP. The process object is published to a namespace visible to user
> mode before the Ps process creation notify callout is invoked. Thread
> creation callouts are also not necessarily synchronized with one another.
>
>
>
> No user mode code will run on a newly created thread before the Ps
> thread creation notify callout completes for that thread, however.
>
>
>
> - S (Msft)
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] On Behalf Of rohan kumbhar
> Sent: Saturday, August 09, 2014 11:59 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Process state in
> PsSetCreateProcessNotifyRoutine & PsSetCreateThreadNotifyRoutine
>
>
>
> Hi Mauro,
>
>
>
> Read the description of CreateProcess api in Windows Internals Pdf.
>
> Both of the above mentioned notify routines execute in blocking
> mode.
>
> I find your assumptions to be true.
>
>
>
> On Sat, Aug 9, 2014 at 8:35 AM, wrote:
>
>
>
> Please tell me if i’m fine or wrong in these assumptions:
> 1) When PsSetCreateProcessNotifyRoutine’s callback is
> called the process is still not visible from usermode.
> 2) When PsSetCreateThreadNotifyRoutine’s callback is
> called for the process’ main thread, the process is visible from usermode
> but it no threads are visible from there.
>
>
>
> You should not make any of these assumptions because the
> creating/deleting thread migth hold a system reserved lock that may be held
> as well by a querying user-mode thread. So if your service is querying the
> list of running process, it should not wait on your callback or their might
> both hang.
>
> For example, the PsSetLoadImageNotifyRoutine documentation
> states that a LoadImageNotifyRoutine should not perform any virtual memory
> related operation in the context of the current process because a lock that
> protects the virtual address space of the process is held while the
> callback is running. So a callback should not call ZwMapViewOfSection,
> ZwUnmapViewOfSection, ZwAllocateVirtualMemory or any API that would lead to
> the creation, deletion or even query of a virtual address in the current
> process.
>
> Look at this document, it is interesting for the purpose
> of calling user mode from kernel mode:
>
> http://insider.osr.com/2013/ntinsider_2013_01.pdf
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars
> visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR
> Online at http://www.osronline.com/page.cfm?name=ListServer <
> http://www.osronline.com/page.cfm?name=ListServer>
>
>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev <
> http://www.osronline.com/showlists.cfm?list=ntdev> OSR is HIRING!! See
> http://www.osr.com/careers http: For our schedule
> of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars To unsubscribe, visit the List Server section
> of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></http:>

Don_Burn · August 10, 2014, 2:05pm

And that is good for “most cases”, the problem is having gone through the source for this stuff up to Win7 there are edge conditions exactly as Ken stated that mean the algorithm there can only be treated as “in general” as soon as you get to specific OS’es and all possible use cases of NtCreateProcess things get wonky.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of rohan kumbhar
Sent: Sunday, August 10, 2014 2:00 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Process state in PsSetCreateProcessNotifyRoutine & PsSetCreateThreadNotifyRoutine

Hi Burn,

Ok fine, take out reactos from the discussion. what about the algorithm published in windows internals??
It clearly describes the blocking nature of the callbacks stated in this discussion.

On Sun, Aug 10, 2014 at 11:09 PM, Don Burn wrote:

Depending on ReactOS for any internals stuff is stupid, it is either speculation or way out of date. Ken (Skywing) is correct here, your assumptions are wrong. Been there done that and have the scars.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of rohan kumbhar
Sent: Sunday, August 10, 2014 1:35 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Process state in PsSetCreateProcessNotifyRoutine & PsSetCreateThreadNotifyRoutine

Hello Skywing,

I would advice you the same. Read Windows Internals Pdf. Chapter 5.
The advice is not vague. And for the edge conditions please refer reactos or get Hands source of Windows Research Kernel.

On Sun, Aug 10, 2014 at 9:41 PM, Skywing wrote:

No, that advice is incorrect. The assumptions are invalid in various edge conditions, given the very vague assumptions posited about by the OP. The process object is published to a namespace visible to user mode before the Ps process creation notify callout is invoked. Thread creation callouts are also not necessarily synchronized with one another.

No user mode code will run on a newly created thread before the Ps thread creation notify callout completes for that thread, however.

- S (Msft)

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of rohan kumbhar
Sent: Saturday, August 09, 2014 11:59 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Process state in PsSetCreateProcessNotifyRoutine & PsSetCreateThreadNotifyRoutine

Hi Mauro,

Read the description of CreateProcess api in Windows Internals Pdf.

Both of the above mentioned notify routines execute in blocking mode.

I find your assumptions to be true.

On Sat, Aug 9, 2014 at 8:35 AM, wrote:

Please tell me if i’m fine or wrong in these assumptions:
1) When PsSetCreateProcessNotifyRoutine’s callback is called the process is still not visible from usermode.
2) When PsSetCreateThreadNotifyRoutine’s callback is called for the process’ main thread, the process is visible from usermode but it no threads are visible from there.

You should not make any of these assumptions because the creating/deleting thread migth hold a system reserved lock that may be held as well by a querying user-mode thread. So if your service is querying the list of running process, it should not wait on your callback or their might both hang.

For example, the PsSetLoadImageNotifyRoutine documentation states that a LoadImageNotifyRoutine should not perform any virtual memory related operation in the context of the current process because a lock that protects the virtual address space of the process is held while the callback is running. So a callback should not call ZwMapViewOfSection, ZwUnmapViewOfSection, ZwAllocateVirtualMemory or any API that would lead to the creation, deletion or even query of a virtual address in the current process.

Look at this document, it is interesting for the purpose of calling user mode from kernel mode:

http://insider.osr.com/2013/ntinsider_2013_01.pdf

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev http:

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer http:

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev http: OSR is HIRING!! See http://www.osr.com/careers http: For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</http:></http:></http:></http:>

Rohan_Kumbhar · August 10, 2014, 2:23pm

Don, could you please give some references, links or some pointers about
the NtCreateProcess wonky stuff…
I am not sure about the use cases you are describing.

On Sun, Aug 10, 2014 at 11:35 PM, Don Burn wrote:

> And that is good for “most cases”, the problem is having gone through the
> source for this stuff up to Win7 there are edge conditions exactly as Ken
> stated that mean the algorithm there can only be treated as “in general” as
> soon as you get to specific OS’es and all possible use cases of
> NtCreateProcess things get wonky.
>
>
> Don Burn
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
>
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] On Behalf Of rohan kumbhar
> Sent: Sunday, August 10, 2014 2:00 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Process state in PsSetCreateProcessNotifyRoutine &
> PsSetCreateThreadNotifyRoutine
>
> Hi Burn,
>
> Ok fine, take out reactos from the discussion. what about the algorithm
> published in windows internals??
> It clearly describes the blocking nature of the callbacks stated in this
> discussion.
>
>
> On Sun, Aug 10, 2014 at 11:09 PM, Don Burn wrote:
>
>
> Depending on ReactOS for any internals stuff is stupid, it is
> either speculation or way out of date. Ken (Skywing) is correct here, your
> assumptions are wrong. Been there done that and have the scars.
>
>
> Don Burn
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
>
>
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] On Behalf Of rohan kumbhar
> Sent: Sunday, August 10, 2014 1:35 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Process state in
> PsSetCreateProcessNotifyRoutine & PsSetCreateThreadNotifyRoutine
>
> Hello Skywing,
>
> I would advice you the same. Read Windows Internals Pdf. Chapter 5.
> The advice is not vague. And for the edge conditions please refer
> reactos or get Hands source of Windows Research Kernel.
>
>
> On Sun, Aug 10, 2014 at 9:41 PM, Skywing <
> xxxxx@valhallalegends.com> wrote:
>
>
> No, that advice is incorrect. The assumptions are invalid
> in various edge conditions, given the very vague assumptions posited about
> by the OP. The process object is published to a namespace visible to user
> mode before the Ps process creation notify callout is invoked. Thread
> creation callouts are also not necessarily synchronized with one another.
>
>
>
> No user mode code will run on a newly created thread
> before the Ps thread creation notify callout completes for that thread,
> however.
>
>
>
> - S (Msft)
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] On Behalf Of rohan kumbhar
> Sent: Saturday, August 09, 2014 11:59 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Process state in
> PsSetCreateProcessNotifyRoutine & PsSetCreateThreadNotifyRoutine
>
>
>
> Hi Mauro,
>
>
>
> Read the description of CreateProcess api in Windows
> Internals Pdf.
>
> Both of the above mentioned notify routines execute in
> blocking mode.
>
> I find your assumptions to be true.
>
>
>
> On Sat, Aug 9, 2014 at 8:35 AM, wrote:
>
>
>
> Please tell me if i’m fine or wrong in these
> assumptions:
> 1) When PsSetCreateProcessNotifyRoutine’s callback
> is called the process is still not visible from usermode.
> 2) When PsSetCreateThreadNotifyRoutine’s callback
> is called for the process’ main thread, the process is visible from
> usermode but it no threads are visible from there.
>
>
>
> You should not make any of these assumptions
> because the creating/deleting thread migth hold a system reserved lock that
> may be held as well by a querying user-mode thread. So if your service is
> querying the list of running process, it should not wait on your callback
> or their might both hang.
>
> For example, the PsSetLoadImageNotifyRoutine
> documentation states that a LoadImageNotifyRoutine should not perform any
> virtual memory related operation in the context of the current process
> because a lock that protects the virtual address space of the process is
> held while the callback is running. So a callback should not call
> ZwMapViewOfSection, ZwUnmapViewOfSection, ZwAllocateVirtualMemory or any
> API that would lead to the creation, deletion or even query of a virtual
> address in the current process.
>
> Look at this document, it is interesting for the
> purpose of calling user mode from kernel mode:
>
> http://insider.osr.com/2013/ntinsider_2013_01.pdf
>
>
>
> —
> NTDEV is sponsored by OSR
>
>
> Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other
> seminars visit:
> http://www.osr.com/seminars
>
>
> To unsubscribe, visit the List Server section of
> OSR Online at http://www.osronline.com/page.cfm?name=ListServer <
> http://www.osronline.com/page.cfm?name=ListServer>
>
>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev <
> http://www.osronline.com/showlists.cfm?list=ntdev> OSR is HIRING!! See
> http://www.osr.com/careers http: For our schedule
> of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars To unsubscribe, visit the List Server section
> of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars
> visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR
> Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></http:>

Ken_Johnson · August 10, 2014, 2:27pm

As someone who has touched this code in the operating system in the past, you’re providing incorrect information here.

I don’t know how else to put that.

S (Msft)

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of rohan kumbhar
Sent: Sunday, August 10, 2014 10:35 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Process state in PsSetCreateProcessNotifyRoutine & PsSetCreateThreadNotifyRoutine

Hello Skywing,

I would advice you the same. Read Windows Internals Pdf. Chapter 5.
The advice is not vague. And for the edge conditions please refer reactos or get Hands source of Windows Research Kernel.

On Sun, Aug 10, 2014 at 9:41 PM, Skywing > wrote:
No, that advice is incorrect. The assumptions are invalid in various edge conditions, given the very vague assumptions posited about by the OP. The process object is published to a namespace visible to user mode before the Ps process creation notify callout is invoked. Thread creation callouts are also not necessarily synchronized with one another.

No user mode code will run on a newly created thread before the Ps thread creation notify callout completes for that thread, however.

- S (Msft)

From: xxxxx@lists.osr.com mailto:xxxxx [mailto:xxxxx@lists.osr.com mailto:xxxxx] On Behalf Of rohan kumbhar
Sent: Saturday, August 09, 2014 11:59 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Process state in PsSetCreateProcessNotifyRoutine & PsSetCreateThreadNotifyRoutine

Hi Mauro,

Read the description of CreateProcess api in Windows Internals Pdf.
Both of the above mentioned notify routines execute in blocking mode.
I find your assumptions to be true.

On Sat, Aug 9, 2014 at 8:35 AM, > wrote:

Please tell me if i’m fine or wrong in these assumptions:
1) When PsSetCreateProcessNotifyRoutine’s callback is called the process is still not visible from usermode.
2) When PsSetCreateThreadNotifyRoutine’s callback is called for the process’ main thread, the process is visible from usermode but it no threads are visible from there.

You should not make any of these assumptions because the creating/deleting thread migth hold a system reserved lock that may be held as well by a querying user-mode thread. So if your service is querying the list of running process, it should not wait on your callback or their might both hang.

For example, the PsSetLoadImageNotifyRoutine documentation states that a LoadImageNotifyRoutine should not perform any virtual memory related operation in the context of the current process because a lock that protects the virtual address space of the process is held while the callback is running. So a callback should not call ZwMapViewOfSection, ZwUnmapViewOfSection, ZwAllocateVirtualMemory or any API that would lead to the creation, deletion or even query of a virtual address in the current process.

Look at this document, it is interesting for the purpose of calling user mode from kernel mode:

http://insider.osr.com/2013/ntinsider_2013_01.pdf

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

Rohan_Kumbhar · August 10, 2014, 2:46pm

Hey Skywing,

Thats great. I provided the information I had. I will make sure I post more
authentic information next time.

On Sun, Aug 10, 2014 at 11:56 PM, Skywing
wrote:

> As someone who has touched this code in the operating system in the
> past, you’re providing incorrect information here.
>
>
>
> I don’t know how else to put that.
>
>
>
> - S (Msft)
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *rohan kumbhar
> Sent: Sunday, August 10, 2014 10:35 AM
>
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Process state in PsSetCreateProcessNotifyRoutine &
> PsSetCreateThreadNotifyRoutine
>
>
>
> Hello Skywing,
>
>
>
> I would advice you the same. Read Windows Internals Pdf. Chapter 5.
>
> The advice is not vague. And for the edge conditions please refer reactos
> or get Hands source of Windows Research Kernel.
>
>
>
> On Sun, Aug 10, 2014 at 9:41 PM, Skywing
> wrote:
>
> No, that advice is incorrect. The assumptions are invalid in various
> edge conditions, given the very vague assumptions posited about by the OP.
> The process object is published to a namespace visible to user mode before
> the Ps process creation notify callout is invoked. Thread creation
> callouts are also not necessarily synchronized with one another.
>
>
>
> No user mode code will run on a newly created thread before the Ps thread
> creation notify callout completes for that thread, however.
>
>
>
> - S (Msft)
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *rohan kumbhar
> Sent: Saturday, August 09, 2014 11:59 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Process state in PsSetCreateProcessNotifyRoutine &
> PsSetCreateThreadNotifyRoutine
>
>
>
> Hi Mauro,
>
>
>
> Read the description of CreateProcess api in Windows Internals Pdf.
>
> Both of the above mentioned notify routines execute in blocking mode.
>
> I find your assumptions to be true.
>
>
>
> On Sat, Aug 9, 2014 at 8:35 AM, wrote:
>
>
>
> Please tell me if i’m fine or wrong in these assumptions:
> 1) When PsSetCreateProcessNotifyRoutine’s callback is called the process
> is still not visible from usermode.
> 2) When PsSetCreateThreadNotifyRoutine’s callback is called for the
> process’ main thread, the process is visible from usermode but it no
> threads are visible from there.
>
>
>
> You should not make any of these assumptions because the creating/deleting
> thread migth hold a system reserved lock that may be held as well by a
> querying user-mode thread. So if your service is querying the list of
> running process, it should not wait on your callback or their might both
> hang.
>
> For example, the PsSetLoadImageNotifyRoutine documentation states that a
> LoadImageNotifyRoutine should not perform any virtual memory related
> operation in the context of the current process because a lock that
> protects the virtual address space of the process is held while the
> callback is running. So a callback should not call ZwMapViewOfSection,
> ZwUnmapViewOfSection, ZwAllocateVirtualMemory or any API that would lead to
> the creation, deletion or even query of a virtual address in the current
> process.
>
> Look at this document, it is interesting for the purpose of calling user
> mode from kernel mode:
>
> http://insider.osr.com/2013/ntinsider_2013_01.pdf
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

OSR_Community_User · August 10, 2014, 3:41pm

I think that the system process list may or may not be locked while the callback is called.

For the thread creation, only the owning process’s thread list may be locked.

The important thing to point out is that a correct assumption could be wrong as soon as tomorrow.

Ken_Johnson · August 10, 2014, 3:48pm

Depending on the OS release that you’re running on, neither of these assumptions are true. As you note, drivers should not depend on either of these being the case.

S (Msft)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@live.fr
Sent: Sunday, August 10, 2014 12:41 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Process state in PsSetCreateProcessNotifyRoutine & PsSetCreateThreadNotifyRoutine

I think that the system process list may or may not be locked while the callback is called.

For the thread creation, only the owning process’s thread list may be locked.

The important thing to point out is that a correct assumption could be wrong as soon as tomorrow.

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Peter_Viscarola_OSR · August 11, 2014, 1:07am

Good idea, Mr. Kumbhar. Thanks for that.

My advice: Get to know the players before calling them out for a gunfight. Ken Johnson (Skywing) is a big gun, and it rarely pays to challenge him to a duel.

Peter
OSR
@OSRDrivers

Rohan_Kumbhar · August 13, 2014, 1:17pm

hi all,

Not in anyways I am trying to call anyone for a gunfight. But if in anyways
my approach has appeared otherwise, I APOLOGIZE.

However, I am still interested to get the insight, as to why would the
assumptions be wrong… What could be the possible corner cases?? How can I
monitor the related scenario??

On Mon, Aug 11, 2014 at 10:36 AM, wrote:

>

>
> Good idea, Mr. Kumbhar. Thanks for that.
>
> My advice: Get to know the players before calling them out for a gunfight.
> Ken Johnson (Skywing) is a big gun, and it rarely pays to challenge him to
> a duel.
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>