Hello,
I am studying for the Windows Internals certification and I have a
question about the Process Management subsystem.
Each time the dispatcher changes the currently executing thread a
context switch occurs and the previous context is saved for later use.
I want to know how can I find this CONTEXT structure from the ETHREAD
object. I checked the members from the ETHREAD and KTHREAD structures,
but none of them seem to contain this information (at least for my
eyes).
Does anyone know how can I find this information?
-George
> I want to know how can I find this CONTEXT structure from the ETHREAD
object
Why do you need such a detail?
On this forum, traditionally, the only valid need in something is to solve the software development tasks, i.e. to create the software which will do “this and that”.
And, even if you will get this knowledge, then you cannot base reliable software on it, and people here dislike unreliable software.
Nevertheless, I will answer you: CONTEXT is not included to KTHREAD. IIRC KTHREAD only saves the ESP pointer of the thread which is not currently running, and the remaining registers are stored by PUSH ops on the thread’s stack before it switches the context away from itself.
Some registers (i.e. “volatile” registers - the one which are allowed to change by the function call) are even saved only in the trap prologs, and not for all traps - for IRQs and page fault yes, for syscalls no (syscalls are not obliged to preserve the volatile regs).
There were functions like KiContextToKFrames which could assemble these values from the stack frames to CONTEXT structure and vice versa.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Hi Maxim,
Thanks for you answer. I do not have plans to use it in any product. I
am just studying for my Windows Internals certification and I would
like to see this information from the ETHREAD structure, but as you
sad it is pushed into the stack.
Thanks,
-George
On Mon, Oct 24, 2011 at 12:20 PM, Maxim S. Shatskih
wrote:
>> I want to know how can I find this CONTEXT structure from the ETHREAD
>> object
>
> Why do you need such a detail?
>
> On this forum, traditionally, the only valid need in something is to solve the software development tasks, i.e. to create the software which will do “this and that”.
>
> And, even if you will get this knowledge, then you cannot base reliable software on it, and people here dislike unreliable software.
>
> Nevertheless, I will answer you: CONTEXT is not included to KTHREAD. IIRC KTHREAD only saves the ESP pointer of the thread which is not currently running, and the remaining registers are stored by PUSH ops on the thread’s stack before it switches the context away from itself.
>
> Some registers (i.e. “volatile” registers - the one which are allowed to change by the function call) are even saved only in the trap prologs, and not for all traps - for IRQs and page fault yes, for syscalls no (syscalls are not obliged to preserve the volatile regs).
>
> There were functions like KiContextToKFrames which could assemble these values from the stack frames to CONTEXT structure and vice versa.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>sad it is pushed into the stack.
In brief: volatile regs are only pushed to the stack on trap prologs for non-syscall traps like IRQs and page fault.
Nonvolatile regs are pushed by the KiSwapContext prolog.
And only ESP is in ETHREAD.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Following-on to Max’ post… have a look at the TRAP_FRAME data structure.
Peter
OSR