Process which created a thread

NTDEV
1

In my Project I need to show thread related information of a process. But I am not able to get info of a Process which created the thread. I do not see any field in _KTHREAD or _ETHREAD related to process which created the thread.

Please someone could help me out in finding Process which created the thread.

2

xxxxx@gmail.com wrote:

In my Project I need to show thread related information of a process.
But I am not able to get info of a Process which created the thread.
I do not see any field in _KTHREAD or _ETHREAD related to process
which created the thread.

I think you need the ThreadsProcess field of the _ETHREAD.

Paul

3

> I think you need the ThreadsProcess field of the _ETHREAD.

It’s look like ThreadsProcess field of the _ETHREAD is for process in whch thread is running, not process which is created the thread.

4

You should not be accessing the _ETHREAD or _KTHREAD structures period since
these are private structures that change with revisions and fixes in the OS.
Why do you think you need this data? If you do need this data us the
PsSetCreateThreadNotify routine to build your own database of this
information.


Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntdev…
>> I think you need the ThreadsProcess field of the _ETHREAD.
>
> It’s look like ThreadsProcess field of the _ETHREAD is for process in whch
> thread is running, not process which is created the thread.
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4143 (20090610)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4143 (20090610)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

5

>Why do you think you need this data? If you do need this data us the

PsSetCreateThreadNotify routine to build your own database of this
information.

Thanks Don for replying.

I am working on Anti-Rootkit software where I need to show Process which created the thread.
I cann’t use PsSetCreateThreadNotify as our application supports only on demand scan.

6

Then you cannot get the data. Consider making a small driver that loads at
boot time and tracks the data you want and acts as a helper to your main
driver. Note, I consider most of the crap that tries to access the
_KTHREAD and _ETHREAD structures to be some of the worst malware out there,
so do not make you Anti-Rootkit stuff worse than what you are trying to fix.
Personally, I don’t see how an on demand Anti-Rootkit software can work
safely, there is too much you need to see from when the OS boots.


Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntdev…
> >Why do you think you need this data? If you do need this data us the
>>PsSetCreateThreadNotify routine to build your own database of this
>>information.
>
> Thanks Don for replying.
>
> I am working on Anti-Rootkit software where I need to show Process which
> created the thread.
> I cann’t use PsSetCreateThreadNotify as our application supports only on
> demand scan.
>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4143 (20090610)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4143 (20090610)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

7

  1. That is the owner and not creator process (which are not related in cases such as process creation or CreateRemoteThread). There is no record of the creator that I know of offhand.

  2. This is an undocumented and that field has changed between OS versions before and can change again. You should not directly use it in a driver or you risk crashing your customers on new code releases.

  3. The documented IoThreadToProcess routine should be used instead of groveling in undocumented structures that are subject to change for the ThreadsProcess field. Be sure to address synchronization issues with process/thread rundown.

  • S

-----Original Message-----
From: Paul Durrant
Sent: Wednesday, June 10, 2009 02:29
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Process which created a thread

xxxxx@gmail.com wrote:
> In my Project I need to show thread related information of a process.
> But I am not able to get info of a Process which created the thread.
> I do not see any field in _KTHREAD or _ETHREAD related to process
> which created the thread.
>

I think you need the ThreadsProcess field of the _ETHREAD.

Paul


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

8

You’re sunk by design if you are trying to do this on a live system.

  • S

-----Original Message-----
From: xxxxx@gmail.com
Sent: Wednesday, June 10, 2009 05:53
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Process which created a thread

>Why do you think you need this data? If you do need this data us the
>PsSetCreateThreadNotify routine to build your own database of this
>information.

Thanks Don for replying.

I am working on Anti-Rootkit software where I need to show Process which created the thread.
I cann’t use PsSetCreateThreadNotify as our application supports only on demand scan.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer