Regarding ZwClose()

Hi All,

Can we close a handle to a file, which was obtained in the context of a
System Thread,
in a thread which is executing in the context of a User Mode Process (and
this thread is executing in kernel mode)?

If not, then what is need to get the file handle in the context of the user
mode thread (executing in kernel mode)?

Thanks in advance.

Regards,
-Vipul.

The rules for handle references that apply here are:

• If the handle resides in a particular process?s handle table, then you must be executing in that process to reference it.
• If the handle was opened with OBJ_KERNEL_HANDLE, then a kernel mode caller can reference it from any process.

Note that it is, in general, not safe to accept a handle from an untrusted (user mode) source and close it on behalf of the user.

Assuming that this is a handle you opened yourself in kernel mode, you should have specified OBJ_KERNEL_HANDLE, and that means you can close it from any context at PASSIVE_LEVEL with ZwClose. (Make sure to synchronize with anyone who might try to use the handle, as attempting to reference a bad kernel handle will bugcheck the system.)

• S

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Vipul
Sent: Wednesday, October 08, 2008 11:34 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Regarding ZwClose()

Hi All,

Can we close a handle to a file, which was obtained in the context of a System Thread,
in a thread which is executing in the context of a User Mode Process (and this thread is executing in kernel mode)?

If not, then what is need to get the file handle in the context of the user mode thread (executing in kernel mode)?

Thanks in advance.

Regards,
-Vipul.
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer