Relationship between _KTHREAD and Teb->Win32Thread

I have noticed that process (like “svchost.exe”) may have many
threads. But some of the threads have NULL “Teb->Win32Thread”. Here
are my quesitons:

  1. Is there any relationship between_KTHREAD and
    “Teb->Win32Thread”?

  2. How can I tell if
    (a) a thread with NULL “Win32Thread” is in the middle of thread
    creation so the value has not been filled in (by whom?), or
    (b) the thread has been created and running, but with a NULL
    “Win32Thread” field.

  3. How can I tell if a thread is a “kernel-thread” or user-mode
    thread? Are the threads with NULL “Win32Thread” the so-called
    kernel threads?

Below is some listing from WinDbg of “svchost.exe” that starts my
curiosity…

Thanks in advance,

Marc

------------------------------?------------------------------?---------------
kd> !process
PROCESS 8583c020 SessionId: 0 Cid: 0284 Peb: 7ffd5000 ParentCid:
0744
DirBase: 1200d000 ObjectTable: e231ca10 HandleCount: 1386.
Image: svchost.exe
VadRoot 85575800 Vads 444 Clone 0 Private 2300. Modified 379.
Locked 9.
DeviceMap e1005460
Token e2372740
ElapsedTime 02:36:46.375
UserTime 00:00:01.000
KernelTime 00:00:01.531
QuotaPoolUsage[PagedPool] 129768
QuotaPoolUsage[NonPagedPool] 57032
Working Set Sizes (now,min,max) (5967, 50, 345) (23868KB, 200KB,
1380KB)
PeakWorkingSetSize 6009
VirtualSize 129 Mb
PeakVirtualSize 129 Mb
PageFaultCount 15589
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 3786

THREAD 85839020 Cid 0284.0288 Teb: 7ffdf000 Win32Thread:
e2369560 WAIT: (Executive) UserMode Non-Alertable
85850754 NotificationEvent

THREAD 85804020 Cid 0284.0570 Teb: 7ffa3000 Win32Thread:
00000000 RUNNING on processor 0

THREAD 85844240 Cid 0284.0294 Teb: 7ffde000 Win32Thread:
00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
85857b28 Semaphore Limit 0x7fffffff

THREAD 85848868 Cid 0284.0298 Teb: 7ffdd000 Win32Thread:
00000000 WAIT: (DelayExecution) UserMode Alertable
85848958 NotificationTimer

THREAD 85840480 Cid 0284.02c0 Teb: 7ffda000 Win32Thread:
00000000 WAIT: (UserRequest) UserMode Non-Alertable
85846160 NotificationEvent
85846190 SynchronizationEvent
8586f168 NotificationEvent
858361c0 SynchronizationEvent
:
:

  1. It seems, Win32Thread pointer is not NULL only for GUI threads. This
    threads have large stack and use shadow service table with GUI functions
    from Win32k.sys.
  2. The ‘b’ is the right answer.
  3. No, you can’t rely on Win32Thread pointer. Use IoIsSystemThread().
    Most of the system threads(“kernel-thread”) have NULL ==
    PETHERAD->Tcb.Teb.

“Marc Cruz” wrote in message news:xxxxx@ntfsd…
I have noticed that process (like “svchost.exe”) may have many
threads. But some of the threads have NULL “Teb->Win32Thread”. Here
are my quesitons:

1. Is there any relationship between_KTHREAD and
“Teb->Win32Thread”?

2. How can I tell if
(a) a thread with NULL “Win32Thread” is in the middle of thread
creation so the value has not been filled in (by whom?), or
(b) the thread has been created and running, but with a NULL
“Win32Thread” field.

3. How can I tell if a thread is a “kernel-thread” or user-mode
thread? Are the threads with NULL “Win32Thread” the so-called
kernel threads?

Below is some listing from WinDbg of “svchost.exe” that starts my
curiosity…

Thanks in advance,

Marc

------------------------------­------------------------------­---------------
kd> !process
PROCESS 8583c020 SessionId: 0 Cid: 0284 Peb: 7ffd5000 ParentCid:
0744
DirBase: 1200d000 ObjectTable: e231ca10 HandleCount: 1386.
Image: svchost.exe
VadRoot 85575800 Vads 444 Clone 0 Private 2300. Modified 379.
Locked 9.
DeviceMap e1005460
Token e2372740
ElapsedTime 02:36:46.375
UserTime 00:00:01.000
KernelTime 00:00:01.531
QuotaPoolUsage[PagedPool] 129768
QuotaPoolUsage[NonPagedPool] 57032
Working Set Sizes (now,min,max) (5967, 50, 345) (23868KB, 200KB,
1380KB)
PeakWorkingSetSize 6009
VirtualSize 129 Mb
PeakVirtualSize 129 Mb
PageFaultCount 15589
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 3786

THREAD 85839020 Cid 0284.0288 Teb: 7ffdf000 Win32Thread:
e2369560 WAIT: (Executive) UserMode Non-Alertable
85850754 NotificationEvent

THREAD 85804020 Cid 0284.0570 Teb: 7ffa3000 Win32Thread:
00000000 RUNNING on processor 0

THREAD 85844240 Cid 0284.0294 Teb: 7ffde000 Win32Thread:
00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
85857b28 Semaphore Limit 0x7fffffff

THREAD 85848868 Cid 0284.0298 Teb: 7ffdd000 Win32Thread:
00000000 WAIT: (DelayExecution) UserMode Alertable
85848958 NotificationTimer

THREAD 85840480 Cid 0284.02c0 Teb: 7ffda000 Win32Thread:
00000000 WAIT: (UserRequest) UserMode Non-Alertable
85846160 NotificationEvent
85846190 SynchronizationEvent
8586f168 NotificationEvent
858361c0 SynchronizationEvent
:
: