Waiting on process termination

Is it possible to wait for process termination via the wait routines?

Given that I have a ProcesId and therefore an EPROCESS pointer, how do I go
about waiting for the process to become signalled upon termination?

I see I can wait on a single object handle via ZwWaitForSingleObject however
in my code I want to wait for multiple objects and ZwWaitForMultipleObjects
isn’t available (why is that?)

So my only solution appears to be KeWaitForMultipleObjects but an EPROCESS
objects isn’t considered a dispatcher object and therefore doesn’t signal my
wait routine.

Any help is appreciated.

Thanks.

Btw, I know about the PsSetCreateProcessNotifyRoutine.

>So my only solution appears to be KeWaitForMultipleObjects but an EPROCESS

objects isn’t considered a dispatcher object >and therefore doesn’t signal
my wait routine.

Processes are dispatcher objects, you can confirm by the fact that they
start with a dispatcher header:

0: kd> dt nt!_kprocess
+0x000 Header : _DISPATCHER_HEADER

If it’s not being signaled then the process isn’t completely gone yet
(signaling the process is one of the last things that happens during process
termination).

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Ged” wrote in message news:xxxxx@ntdev…
Is it possible to wait for process termination via the wait routines?

Given that I have a ProcesId and therefore an EPROCESS pointer, how do I go
about waiting for the process to become signalled upon termination?

I see I can wait on a single object handle via ZwWaitForSingleObject however
in my code I want to wait for multiple objects and ZwWaitForMultipleObjects
isn’t available (why is that?)
So my only solution appears to be KeWaitForMultipleObjects but an EPROCESS
objects isn’t considered a dispatcher object and therefore doesn’t signal my
wait routine.

Any help is appreciated.
Thanks.

Btw, I know about the PsSetCreateProcessNotifyRoutine.

Yeah, I’d seen the header, but after reading this mail from Ken I assumed
there was a difference in how they were signalled :
http://www.tech-archive.net/Archive/Development/microsoft.public.development
.device.drivers/2006-11/msg00137.html

I thought signalling the process happened when the last thread had died, and
this is certainly the case. The whole process has gone so I assumed it would
have become signalled.

Are you saying I should be able to use the EPROCESS pointer directly in my
object array in the call to KeWaitForMultipleObjects?

Thanks
Ged.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: 09 June 2010 16:28
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Waiting on process termination

So my only solution appears to be KeWaitForMultipleObjects but an EPROCESS
objects isn’t considered a dispatcher object >and therefore doesn’t signal
my wait routine.

Processes are dispatcher objects, you can confirm by the fact that they
start with a dispatcher header:

0: kd> dt nt!_kprocess
+0x000 Header : _DISPATCHER_HEADER

If it’s not being signaled then the process isn’t completely gone yet
(signaling the process is one of the last things that happens during process

termination).

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Ged” wrote in message news:xxxxx@ntdev…
Is it possible to wait for process termination via the wait routines?

Given that I have a ProcesId and therefore an EPROCESS pointer, how do I go
about waiting for the process to become signalled upon termination?

I see I can wait on a single object handle via ZwWaitForSingleObject however

in my code I want to wait for multiple objects and ZwWaitForMultipleObjects
isn’t available (why is that?)
So my only solution appears to be KeWaitForMultipleObjects but an EPROCESS
objects isn’t considered a dispatcher object and therefore doesn’t signal my

wait routine.

Any help is appreciated.
Thanks.

Btw, I know about the PsSetCreateProcessNotifyRoutine.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> I thought signalling the process happened when the last thread had died,

and
this is certainly the case. The whole process has gone so I assumed it
would
have become signalled.

Are you sure it’s really gone? A lot of things happen before the process
object gets signaled, could be that something is hung up there.

Are you saying I should be able to use the EPROCESS pointer directly in my
object array in the call to KeWaitForMultipleObjects?

Yup, works just fine.

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Ged” wrote in message news:xxxxx@ntdev…
> Yeah, I’d seen the header, but after reading this mail from Ken I assumed
> there was a difference in how they were signalled :
> http://www.tech-archive.net/Archive/Development/microsoft.public.development
> .device.drivers/2006-11/msg00137.html
>
> I thought signalling the process happened when the last thread had died,
> and
> this is certainly the case. The whole process has gone so I assumed it
> would
> have become signalled.
>
> Are you saying I should be able to use the EPROCESS pointer directly in my
> object array in the call to KeWaitForMultipleObjects?
>
> Thanks
> Ged.
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
> Sent: 09 June 2010 16:28
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Waiting on process termination
>
>>So my only solution appears to be KeWaitForMultipleObjects but an EPROCESS
>>objects isn’t considered a dispatcher object >and therefore doesn’t signal
>>my wait routine.
>
> Processes are dispatcher objects, you can confirm by the fact that they
> start with a dispatcher header:
>
> 0: kd> dt nt!_kprocess
> +0x000 Header : _DISPATCHER_HEADER
>
> If it’s not being signaled then the process isn’t completely gone yet
> (signaling the process is one of the last things that happens during
> process
>
> termination).
>
> -scott
>
> –
> Scott Noone
> Consulting Associate
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
>
> “Ged” wrote in message news:xxxxx@ntdev…
> Is it possible to wait for process termination via the wait routines?
>
> Given that I have a ProcesId and therefore an EPROCESS pointer, how do I
> go
> about waiting for the process to become signalled upon termination?
>
> I see I can wait on a single object handle via ZwWaitForSingleObject
> however
>
> in my code I want to wait for multiple objects and
> ZwWaitForMultipleObjects
> isn’t available (why is that?)
> So my only solution appears to be KeWaitForMultipleObjects but an EPROCESS
> objects isn’t considered a dispatcher object and therefore doesn’t signal
> my
>
> wait routine.
>
> Any help is appreciated.
> Thanks.
>
> Btw, I know about the PsSetCreateProcessNotifyRoutine.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>

Ahh you’re right, I hit a deadlock when removing an imagenotify callback.
Thanks for your help, it all makes sense now.

Ged.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: 09 June 2010 17:17
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Waiting on process termination

I thought signalling the process happened when the last thread had died,
and
this is certainly the case. The whole process has gone so I assumed it
would
have become signalled.

Are you sure it’s really gone? A lot of things happen before the process
object gets signaled, could be that something is hung up there.

Are you saying I should be able to use the EPROCESS pointer directly in my
object array in the call to KeWaitForMultipleObjects?

Yup, works just fine.

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Ged” wrote in message news:xxxxx@ntdev…
> Yeah, I’d seen the header, but after reading this mail from Ken I assumed
> there was a difference in how they were signalled :
>
http://www.tech-archive.net/Archive/Development/microsoft.public.development
> .device.drivers/2006-11/msg00137.html
>
> I thought signalling the process happened when the last thread had died,
> and
> this is certainly the case. The whole process has gone so I assumed it
> would
> have become signalled.
>
> Are you saying I should be able to use the EPROCESS pointer directly in my
> object array in the call to KeWaitForMultipleObjects?
>
> Thanks
> Ged.
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
> Sent: 09 June 2010 16:28
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Waiting on process termination
>
>>So my only solution appears to be KeWaitForMultipleObjects but an EPROCESS
>>objects isn’t considered a dispatcher object >and therefore doesn’t signal
>>my wait routine.
>
> Processes are dispatcher objects, you can confirm by the fact that they
> start with a dispatcher header:
>
> 0: kd> dt nt!_kprocess
> +0x000 Header : _DISPATCHER_HEADER
>
> If it’s not being signaled then the process isn’t completely gone yet
> (signaling the process is one of the last things that happens during
> process
>
> termination).
>
> -scott
>
> –
> Scott Noone
> Consulting Associate
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
>
> “Ged” wrote in message news:xxxxx@ntdev…
> Is it possible to wait for process termination via the wait routines?
>
> Given that I have a ProcesId and therefore an EPROCESS pointer, how do I
> go
> about waiting for the process to become signalled upon termination?
>
> I see I can wait on a single object handle via ZwWaitForSingleObject
> however
>
> in my code I want to wait for multiple objects and
> ZwWaitForMultipleObjects
> isn’t available (why is that?)
> So my only solution appears to be KeWaitForMultipleObjects but an EPROCESS
> objects isn’t considered a dispatcher object and therefore doesn’t signal
> my
>
> wait routine.
>
> Any help is appreciated.
> Thanks.
>
> Btw, I know about the PsSetCreateProcessNotifyRoutine.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer