Comment Feed for Channel 9 - Arun Kishan - Process Management in Windows Vista

Re: Arun Kishan - Process Management in Windows Vista

Cyonix — Mon, 11 Sep 2006 19:37:27 GMT

Great video! I loved how everything was explained in such detail

Good stuff

posted by Cyonix

Re: Arun Kishan - Process Management in Windows Vista

batterseapower — Mon, 11 Sep 2006 22:30:35 GMT

Thanks for yet another great Going Deep video! I am however, a little confused about one of the points in the video: I wonder if someone could be as kind as to clarify how exactly a TerminateThread call causes any kernel mode calls being made by that function to unwind immediately?

I can see how this might work for explicit waits (Sleep, WaitForSingleObjectEx) since you already have handing for being interrupted by APCs there in the form of alertable waits, but what about in the general case of e.g. ReadFile? Does your explanation imply that there a way to cause arbitrary kernel functions to unwind instantly without corrupting internal kernel state, or do you just wait for all such calls to terminate naturally before doing the cleanup just before the kernel -> user transition as normal? But in the case of long running calls kernel mode functions I could see that being a problem..

Thanks in advance!

BSP

posted by batterseapower

Re: Arun Kishan - Process Management in Windows Vista

SecretSoftware — Mon, 11 Sep 2006 23:32:21 GMT

Thanks for this video. It helped me understand how windows manages threads that I program in my apps. Great video. Keep it up.

posted by SecretSoftware

Re: Arun Kishan - Process Management in Windows Vista

arunki — Tue, 12 Sep 2006 01:02:51 GMT

Sorry if this was not clear.

Threads only ever "die" on the return to user mode. For the same reason, system threads cannot be terminated. Instead, they must voluntarily exit (direct call to terminate), or exit their main routine. Most kernel code will continue to run uninterrupted, however, the assumption is that unbounded kernel-mode waits, etc. should not be easily controllable by a user. User-mode waits, however, are instantly aborted in the kernel once the kernel-mode half of the terminate APC is delivered.

You are absolutely right that long running kernel code, or code running with APCs disabled in kernel, will not take the kernel APC or will otherwise not terminate immediately. So TerminateThread really ensures that the target will no longer run in usermode, not that it will instantly unwind its kernel state and exit. I was only trying to stress that the mechanism is designed to ensure kernel state is unwound rather than exiting in place.

posted by arunki

Re: Arun Kishan - Process Management in Windows Vista

Alexis — Tue, 12 Sep 2006 04:30:35 GMT

Hey, the link to the whitepaper does not work.

posted by Alexis

Re: Arun Kishan - Process Management in Windows Vista

Charles — Tue, 12 Sep 2006 04:53:03 GMT

Alexis wrote:

Hey, the link to the whitepaper does not work.

Fixed. Thanks for pointing that out...
C

posted by Charles

Re: Arun Kishan - Process Management in Windows Vista

SecretSoftware — Tue, 12 Sep 2006 05:21:51 GMT

Few questions:

1) About code injection: crackers and hackers now , cannot do code injection into running processes? Like dll injection will fail? Will this also affect global system hooks? like mouse hook and the likes?

how is that actually good?

2) What happens when the system is low on threads? when you do something like, QueueWorkItem, and use the system threads to do work in your application, and you "abuse this", in a server application, what would happen to the system at this stage when its under stress? Does it shutdown? or just queues the new work items until an existing system thread is free to process it? Can a new thread be created and added to the system thread pool/ Is this actually a good thing or a bad thing for a uniprocessor system?

3) Is it actually good to use the system thread pool or to create a new unique thread for your specific application?

posted by SecretSoftware

Re: Arun Kishan - Process Management in Windows Vista

arunki — Tue, 12 Sep 2006 07:57:23 GMT

1) Code injection is only limited for the protected processes, which are not meant to provide arbitrary extensibility by design. These processes can only load specially digitally signed code. The goal is to limit what can run inside them.

2) There is no one-one mapping between work items and threads. Work queues and the threadpool try to manage the number of threads based on the workload / CPU availability. For example, the Vista threadpool tries to keep # CPU threads running, but will throttle threads back when it detects this number has been exceeded. Additional threads are created as needed in this range; the excess work items accumulate and are serviced by threads as they become available.

3) It depends on your application. If it is a piece of code you just want to execute asynchronously, threadpool provides an efficient and simple means of accomplishing this. It does, however, introduce additional overhead. In other cases, you may need a dedicated thread for a task whose operation / life cycle you may need finer grained control over.

posted by arunki

Re: Arun Kishan - Process Management in Windows Vista

LiQ — Tue, 12 Sep 2006 12:08:16 GMT

Wrong post...

posted by LiQ

Re: Arun Kishan - Process Management in Windows Vista

SecretSoftware — Tue, 12 Sep 2006 16:24:23 GMT

arunki wrote:

1) Code injection is only limited for the protected processes, which are not meant to provide arbitrary extensibility by design. These processes can only load specially digitally signed code. The goal is to limit what can run inside them.

2) There is no one-one mapping between work items and threads. Work queues and the threadpool try to manage the number of threads based on the workload / CPU availability. For example, the Vista threadpool tries to keep # CPU threads running, but will throttle threads back when it detects this number has been exceeded. Additional threads are created as needed in this range; the excess work items accumulate and are serviced by threads as they become available.

3) It depends on your application. If it is a piece of code you just want to execute asynchronously, threadpool provides an efficient and simple means of accomplishing this. It does, however, introduce additional overhead. In other cases, you may need a dedicated thread for a task whose operation / life cycle you may need finer grained control over.

Thanks for the reply. I like the new protected process with in vista. But I wish if we can have examples as to how to create a protected process using Visual Studio 2005 in C#. Like an introduction as to how to create a protected application.

Also, in the video , it was mentioned that the END PROCESS api will just kill of the process on the spot and this should be used only as a last measure, and if we know the state the process is in (most of us dont know that because we did not write the application that might go on a loop or hangs). But there are "Service" processes that simply refuse to be killed. You often get "Access denied" or something along those words. Can you explain that?

posted by SecretSoftware

Re: Arun Kishan - Process Management in Windows Vista

nativecpp — Fri, 15 Sep 2006 20:01:23 GMT

Great and detailed on Porcess/Thread. I have been using threads in user mode and it is nice to know more about the implementation of process/thread in O/S. I am not sure if I understand 100% about the subject(s) (I probably need to revisit the clip again). One thing I don't get it is system process (pid = 4) and system idle process. How they are related and who got created first?

Thanks

posted by nativecpp

Re: Arun Kishan - Process Management in Windows Vista

Whoa — Fri, 29 Sep 2006 00:11:19 GMT

This was great. I had been wondering how this worked for quite some time.

posted by Whoa

Re: Arun Kishan - Process Management in Windows Vista

pranavpeshwe — Thu, 01 Feb 2007 08:58:52 GMT

Thanks for the video !!

Thanks and regards,
Pranav

posted by pranavpeshwe

Re: Arun Kishan - Process Management in Windows Vista

svm — Mon, 17 Dec 2007 09:54:24 GMT

It is great to see an India sitting over there! can I download the video ( difficult to surf online) can you send download link to my mail id svmourougan@yahoo.com

posted by svm

Re: Arun Kishan - Process Management in Windows Vista

shibz — Sun, 16 Aug 2009 05:47:34 GMT

process management in windows vista i need to make a written project on this...plzz help...

posted by shibz

Re: Arun Kishan - Process Management in Windows Vista

PraveenRao — Fri, 15 Jan 2010 08:04:31 GMT

Hi Arun,

Great video!!

I would like some clarifications on Terminate and SuspendThread - specifically when thread is executing in kernel.

You mentioned that terminate kicks the thread out of waits. Is that true only of UserMode waits or also of KernelMode waits? If it is true of KernelMode waits, does it bring it out both alertable and non-alterable or only alertable?

What are the mechanics of suspend? Does it also involve a kernel apc which queues a user apc which executes only when thread unwinds from kernel? Or in case of suspend does kernel apc itself suspend the thread?

Thanks,

Praveen

posted by PraveenRao