hi
My guess is that you are using the undocumented PsLookupProcessByProcessId.
It seems like many developers are not aware to the fact that
PsLookupProcessByProcessId returns a referenced pointer to the
process(check PEPROCESS -0x18 before and after the call), leaving the
process in a state that SoftIce (and afaik only SoftIce detects) calls
“Deleting”.
The solution would be to call ObDereferenceObject after every successful
call to PsLookupProcessByProcessId.
Itai
At 07:00 PM 8/12/2002 +0900, you wrote:
Simply put you have some code waiting for the resource, or perhaps some
other stuff that stops the process from shutting down (like locked memory, but
this would cause a BSOD not Deleting status)Regards, Dejan.
xxxxx@hotmail.com wrote:
> Hi all!
>
> I have a question:
>
> After i run my driver, i enter SoftIce and type the command “proc”.
> Every processs that started after my driver was up is staying in Status
> “Deleting”.
> It looks something like this:
>
> Process KPEB PID Threads Pri User Time Krnl Time Status
> System 80E92838 4 32 8 00000000 00000158 Ready
> sms1 FFB2AB98 19C 3 B 00000001 00000005 Idle
> csrss FFB2B020 1DC A D 00000032 000002F8 Ready
> winlogon 80D4AA28 1F4 13 D 0000003D 0000007E Ready
> services FFA93BF8 220 F 9 00000025 00000080 Ready
> lsass FFAA5BF8 234 15 9 00000019 00000016 Ready
> svchost FFAA0A00 2E0 7 8 00000004 00000007 Idle
> svchost FFAC1D80 314 3E 8 00000D76 000000AF Ready
> svchost FFAF2DA8 3A4 5 8 00000001 00000003 Ready
> svchost FFB0F3C8 3C0 0 8 00000004 00000007 Ready
> spoolsv 80E694F8 418 E 8 00000002 00000002 Ready
> defwatch FFADCB30 4D8 3 8 00000001 00000001 Idle
> rtvscan FFAFAB30 518 26 8 0000000E 0000001F Ready
> explorer FFBCFAF8 7E0 C 8 000000D2 00000346 Ready
> vptray FFA89958 1C0 2 8 00000002 00000001 Ready
> ctfmon FF92E958 1C4 1 8 00000004 00000004 Ready
> dbgview … Deleting
> dbgview … Deleting
> dbgview … Deleting
> MyProcess … Deleting
> MyProcess … Deleting
> MyProcess … Deleting
> *Idle 8053CB40 0 1 0 00000000 00383E43 Running
>
> And every other process that i’ll run will stay in the state Deleting.
> these “Deleting” processes doesn’t appear in the TaskManager and not in
> the ProcessExplorer Application.
>
> 10x for your Help.
>
> Guy.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> To unsubscribe send a blank email to %%email.unsub%%–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32 developers.
You are currently subscribed to ntfsd as: xxxxx@infogateonline.com
To unsubscribe send a blank email to xxxxx@lists.osr.com