Terminating user-mode thread

Dmitry_G · March 26, 2009, 10:58am

Hey, folks

I am looking for a way to terminate a user-mode thread (while running my
kernel mode code in its context, IRQL = 0). I used ZwTerminateProcess() for
terminating the process and it worked just fine. But if I want to terminate
the thread only, what can I do? I know there is a way to do that with
special kernel-mode APC, but I didn’t find any useful information on how to
do that. I mean, how exactly should I initialize the KAPC structure before
queuing the APC to the thread I want to terminate?

Regards,

Dmitry.

Ken_Johnson · March 26, 2009, 1:10pm

Can you explain why you’re trying to do this?

In general, hard killing a user mode thread like that will cause irreparable harm to the process in question. For example, if that thread had acquired a critical section, then that lock will be wedged forever. Even innocuous threads may perform operations like allocating from the process heap, which will take a lock.

Furthermore, on Windows 2000, doing this will permanently leak the stack of that thread - by default, 1MB of address space.

S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Dmitry G
Sent: Thursday, March 26, 2009 10:58 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Terminating user-mode thread

Hey, folks

I am looking for a way to terminate a user-mode thread (while running my
kernel mode code in its context, IRQL = 0). I used ZwTerminateProcess() for
terminating the process and it worked just fine. But if I want to terminate
the thread only, what can I do? I know there is a way to do that with
special kernel-mode APC, but I didn’t find any useful information on how to
do that. I mean, how exactly should I initialize the KAPC structure before
queuing the APC to the thread I want to terminate?

Regards,

Dmitry.

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · March 27, 2009, 7:23am

Existing function NtTerminateThread(…). But it is not exported symbol from ntoskrnl.exe (SSD table item). This function call internal PspTerminateThreadByPointer(…), which actually initiates APC completion of threads (call internal function PspExitThread(…)). It’s a “platform-specific way”.

OSR_Community_User · March 28, 2009, 3:06pm

> I am looking for a way to terminate a user-mode thread (while running my

kernel mode code in its context, IRQL = 0). I used ZwTerminateProcess() for
terminating the process and it worked just fine. But if I want to terminate
the thread only, what can I do?

Terminating a thread is just plain unsafe. For instance, the user mode stack of the thread is leaked in this case.

So, I have major doubts there are any ways of doing this from the kernel-mode driver.

You can stall the thread forever though (and possibly deadlock the user process).

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Dmitry_G · March 29, 2009, 3:50am

Thanks for the answers, I will try to avoid using this somewhat brutal
solution and look for
a workaround.

Dmitry

“Dmitry G” wrote in message news:xxxxx@ntfsd…
> Hey, folks
>
> I am looking for a way to terminate a user-mode thread (while running my
> kernel mode code in its context, IRQL = 0). I used ZwTerminateProcess()
> for terminating the process and it worked just fine. But if I want to
> terminate the thread only, what can I do? I know there is a way to do that
> with special kernel-mode APC, but I didn’t find any useful information on
> how to do that. I mean, how exactly should I initialize the KAPC structure
> before queuing the APC to the thread I want to terminate?
>
> Regards,
>
> Dmitry.
>
>
>
>

Ken_Johnson · March 29, 2009, 3:57am

What’s the situation that provoked this line of reasoning? Perhaps the group can suggest an alternative with more information as to what you’re trying to accomplish.

S

-----Original Message-----
From: Dmitry G
Sent: Sunday, March 29, 2009 00:50
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Terminating user-mode thread

Thanks for the answers, I will try to avoid using this somewhat brutal
solution and look for
a workaround.

Dmitry

“Dmitry G” wrote in message news:xxxxx@ntfsd…
> Hey, folks
>
> I am looking for a way to terminate a user-mode thread (while running my
> kernel mode code in its context, IRQL = 0). I used ZwTerminateProcess()
> for terminating the process and it worked just fine. But if I want to
> terminate the thread only, what can I do? I know there is a way to do that
> with special kernel-mode APC, but I didn’t find any useful information on
> how to do that. I mean, how exactly should I initialize the KAPC structure
> before queuing the APC to the thread I want to terminate?
>
> Regards,
>
> Dmitry.
>
>
>
>

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer