Prev: KeDelayExecutionThread in PsSetCreateProcessNotifyRoutine callback
Next: detect hiberante in .net
From: Don Burn on 24 Mar 2010 09:57 > -----Original Message----- > From: ceh [mailto:cehupper(a)gmail.com] > > "The thread that creates the new process is the thread that called > CreateProcess in user space" > > If I'm a cmd.exe process and I call createprocess then you're saying that some > thread in cmd.exe is the thread that the notifyroutine is running in? > If that is true, then why do all process creations freeze across the system if > there is a wait in the notifyroutine? Shouldn't only that one thread be > blocked? Because the process creation and the notify have locks, you are blocking things in the middle of the process so yes expect other process creates in having to waite. > > "IoControl calls do not call into a process they call into the kernel which is > shared by all processes" > Is this saying that the kernel is just some section of memory not associated > with any specific process? The kernel is not associated with any process, much of it runs in the context of the calling process. Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr
From: ceh on 24 Mar 2010 11:16 On Mar 24, 9:57 am, "Don Burn" <b...(a)stopspam.windrvr.com> wrote: > > -----Original Message----- > > From: ceh [mailto:cehup...(a)gmail.com] > > > "The thread that creates the new process is the thread that called > > CreateProcess in user space" > > > If I'm a cmd.exe process and I call createprocess then you're saying > that some > > thread in cmd.exe is the thread that the notifyroutine is running in? > > If that is true, then why do all process creations freeze across the > system if > > there is a wait in the notifyroutine? Shouldn't only that one thread > be > > blocked? > > Because the process creation and the notify have locks, you are blocking > things in the middle of the process so yes expect other process creates > in having to waite. > > > > > "IoControl calls do not call into a process they call into the kernel > which is > > shared by all processes" > > Is this saying that the kernel is just some section of memory not > associated > > with any specific process? > > The kernel is not associated with any process, much of it runs in the > context of the calling process. > > Don Burn (MVP, Windows DKD) > Windows Filesystem and Driver Consulting > Website:http://www.windrvr.com > Blog:http://msmvps.com/blogs/WinDrvr Because the process creation and the notify have locks, you are blocking things in the middle of the process so yes expect other process creates in having to waite. OK, so the mutex in the sys file is essentially accessed by all processes in user mode that are creating a new process. I didn't know that that mutex spanned the entire system in both kernel and user mode. Thank you for the help. I think I have some lights turning on.
From: m on 24 Mar 2010 22:17 How did you think that it worked? The system has some internal data structures describing processes that can't be updated by multiple threads simultaneously so a lock is natural. And since the notify routine is called inline, as is required to make it useful, if must necessarily be called in the lock! I know that you said that this is academic, but I am ceaselessly amazed by the lack of education that many graduates, masters, and doctors have - yes it is unfair to vent on you, but this post happened to come up at a bad time. "ceh" <cehupper(a)gmail.com> wrote in message news:73ec8421-9ac1-4903-8edf-22f24e387a50(a)33g2000yqj.googlegroups.com... > On Mar 24, 9:57 am, "Don Burn" <b...(a)stopspam.windrvr.com> wrote: >> > -----Original Message----- >> > From: ceh [mailto:cehup...(a)gmail.com] >> >> > "The thread that creates the new process is the thread that called >> > CreateProcess in user space" >> >> > If I'm a cmd.exe process and I call createprocess then you're saying >> that some >> > thread in cmd.exe is the thread that the notifyroutine is running in? >> > If that is true, then why do all process creations freeze across the >> system if >> > there is a wait in the notifyroutine? Shouldn't only that one thread >> be >> > blocked? >> >> Because the process creation and the notify have locks, you are blocking >> things in the middle of the process so yes expect other process creates >> in having to waite. >> >> >> >> > "IoControl calls do not call into a process they call into the kernel >> which is >> > shared by all processes" >> > Is this saying that the kernel is just some section of memory not >> associated >> > with any specific process? >> >> The kernel is not associated with any process, much of it runs in the >> context of the calling process. >> >> Don Burn (MVP, Windows DKD) >> Windows Filesystem and Driver Consulting >> Website:http://www.windrvr.com >> Blog:http://msmvps.com/blogs/WinDrvr > > > Because the process creation and the notify have locks, you are > blocking > things in the middle of the process so yes expect other process > creates > in having to waite. > > OK, so the mutex in the sys file is essentially accessed by all > processes in user mode that are creating a new process. > I didn't know that that mutex spanned the entire system in both kernel > and user mode. > > Thank you for the help. I think I have some lights turning on. > >
|
Pages: 1 Prev: KeDelayExecutionThread in PsSetCreateProcessNotifyRoutine callback Next: detect hiberante in .net |