in addition to my previous email…

Even if it is not exported in Kernel, service ID of this function is 0xD9,
so I found it in SSDT by this index.

However, doesn’t help much, because a lot of other user mode business goes
the ExitWindows(Ex) calls, so I think that hooking this call from the kernel
wouldn’t prevent system from killing a good half of it before it will really
get stock.
I’ll search for some other possible solutions.


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)