Programming Windows

Processes and Threads

Presented by
Japneet Singh
 Highlights
• Process related concepts
• Thread related concepts
 Process
• Process related concepts
• Creating a process
• Terminating a process
• Impersonating a Process
 Process related concepts
• Type : CUI or GUI *
• Process handle *
• Command line
• Process’ Environment variables
• Process’ Error mode
• Current drive and directory
• Current Privileges Context *
 Creating a process
CreateProcess(
PCTSTR pszApplicationName,
PTSTR pszCommandLine,
PSECURITY_ATTRIBUTES psaProcess,
PSECURITY_ATTRIBUTES psaThread,
BOOL bInheritHandles,
DWORD fdwCreate,
PVOID pvEnvironment,
PCTSTR pszCurDir,
PSTARTUPINFO psiStartInfo,
PPROCESS_INFORMATION
ppiProcInfo);
 Terminating a process
• Terminating a process
– A process can be terminated in four ways:
• Primary thread’s entry point function returns (highly recommended)
• One thread in the process calls ExitProcess (Avoid this method)
• A thread in another process calls TerminateProcess (Avoid this
method)
• All the threads in the process just die on their own (This hardly ever
happens)

• When a process terminates, following actions are set in

motion:
a. Any remaining threads in the process are terminated.
b. All User and GDI objects are freed and kernel objects closed.
c. Process’ exit code changes from STILL_ACTIVE to the code
passed to ExitProcess or TerminateProcess
d. Process’ kernel object’s status becomes signaled
e. Process’ kernel object’s usage count is decremented
Impersonating a Process
 Threads
• Creating a thread
• Terminating a thread
• Thread internals
• Impersonating a thread
• Scheduling
• Priority
• Affinity
 Creating a thread
HANDLE CreateThread(
PSECURITY_ATTRIBUTES psa,
DWORD cbStackSize,
PTHREAD_START_ROUTINE
pfnStartAddr,
PVOID pvParam,
DWORD dwCreateFlags,
PDWORD pdwThreadID);
 Terminating a thread
• A thread can be terminated in four ways:
– The thread function returns (this is highly recommended)
– The thread kills itself by calling the ExitThread function (Avoid this
method)
– A thread in the same process or in another process calls the
TerminateThread function (Avoid this method)
– The process containing the thread terminates (Avoid this method)
• The following actions occur when a thread terminates:
– All the User object handles owned by the thread (Windows and hooks)
are freed. When a thread dies, the system automatically destroys any
windows and uninstalls any hooks that were created or installed by the
thread.
– The thread’s exit code changes from STILL_ACTIVE to the code
passed to ExitThread or TerminateThread
– State of thread kernel object becomes signaled.
– If the thread is last active thread in the process, the system considers
the process termintaed as wwell.
– Thread kernel object’s usage count is decremented by 1
 Thread internals
• CONTEXT
 Thread Scheduling
• A preemptive OS like Windows must use some
algorithm to determine which threads should be
scheduled, when and for how long
• Thread suspension during thread initialization
• SuspendThread and ResumeThread
• Suspending or Resuming process?
• Sleep
• SwitchToThread
• CONTEXT structure and Get/SetThreadContext
APIs
• Scheduling algorithm
 Thread Priority
• Priority values
• Starvation
• Pre-emption
• Zero page thread
• Process Priority classes
• Thread relative priorities
• Mapping of Process priority class and Relative Thread
priorities to Priority values
• SetPriorityClass and GetPriorityClass
• SetThreadPriority and GetThreadPriority
• Dynamic boosting Thread Priority Levels
 Process Priority classes
Idle Threads in this process run when the system is other wise idle. This
process is typically used by screen savers or background utilities

Below The threads in this process run between the normal and idle priority
normal classes

Normal The threads in this process have no special scheduling needs.

Above The threads in this process run between the normal and high priority
normal classes

High The threads in this process must respond immediately to events to

execute time critical tasks. The Task Manager runs in this class.

Real The threads in this process must respond immediately to events to

time execute time critical tasks. Threads in this process also preempt OS
components. Use this priority class with extreme caution. Requires
Increase Scheduling Priority Privilege assigned to the user.
 Thread relative priorities
Time Thread runs at 31 for the real time priority class
critical and at 15 for all other priority classes
Highest Thread runs two levels above normal

Above Thread runs one level above normal

normal
Normal Thread runs normally for process’ priority class

Below Thread runs one level below normal

normal
Lowest Thread runs two levels below normal

Idle Thread runs at 16 for the real time priority class

and at 1 for all other priority classes
 Mapping of Process priority class and
Relative Thread priorities to Priority values
Relative Idle Below Normal Above High Real
thread normal normal time
priority
Time 15 15 15 15 15 31
critical
Highest 6 8 10 12 15 26

Above 5 7 9 11 14 25
normal
Normal 4 6 8 10 13 24

Below 3 5 7 9 12 23
normal
Lowest 2 4 6 8 11 22

Idle 1 1 1 1 1 16
 Affinity
• Concept of affinity
• SetProcessAffinityMask and
GetProcessAffinityMask APIs
• SetThreadAffinityMask
• SetThreadIdealProcessor