PsGetCurrentThreadTeb question

Paul_McDonough · January 18, 2014, 7:22pm

PsGetCurrentThreadTeb is KM API that available for Win7+. Before, it seemed that accessing the TEB was a hack job which was very much frowned upon. So now Microsoft gave us this function to get the current thread contexts’ TEB however the documentation is very sparse on what you can actually do with the TEB once your retrieve it. Because the TEB can change between Windows versions and even SPs, are there any APIs that reliably query the TEB structure otherwise, what purpose does this function really serve?

Doron_Holan · January 18, 2014, 7:49pm

What bigger problem do you want to solve?

d

Bent from my phone

From: xxxxx@gmail.com mailto:xxxxx
Sent: ?1/?18/?2014 4:21 PM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: [ntdev] PsGetCurrentThreadTeb question

PsGetCurrentThreadTeb is KM API that available for Win7+. Before, it seemed that accessing the TEB was a hack job which was very much frowned upon. So now Microsoft gave us this function to get the current thread contexts’ TEB however the documentation is very sparse on what you can actually do with the TEB once your retrieve it. Because the TEB can change between Windows versions and even SPs, are there any APIs that reliably query the TEB structure otherwise, what purpose does this function really serve?

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

Paul_McDonough · January 18, 2014, 8:21pm

I’m not trying to solve anything. I am just curious. If the TEB is an opaque structure of sorts, why is there a function to get the current threads’ TEB but then no other real support functions that query/manipulate it? Also why is there no function to get an arbitrary thread’s TEB?

Doron_Holan · January 18, 2014, 9:12pm

No idea why it showed up, I am guessing for a compat reason. There isn’t a method for an arbitrary thread because there is no way for you to get it nor control its lifetime or state and sync with any changes

d

Bent from my phone

From: xxxxx@gmail.com mailto:xxxxx
Sent: ?1/?18/?2014 5:20 PM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: RE:[ntdev] PsGetCurrentThreadTeb question

I’m not trying to solve anything. I am just curious. If the TEB is an opaque structure of sorts, why is there a function to get the current threads’ TEB but then no other real support functions that query/manipulate it? Also why is there no function to get an arbitrary thread’s TEB?

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>