From: Prasad Dabak [pdabak@yahoo.com]
Sent: Tuesday, November 28, 2000 5:18 AM
To: NT Developers Interest List
Subject: [ntdev] CreateRemoteThread and Win2K..

Hello,

Below is the program which does the following

1. Lauches a given executable in suspended form so
that the primary thread
   of the process sleeps.
2. Creates a remote thread in the target process which
calls "ExitThread".
3. Resumes the primary thread of the process.

==========================================================================
#include <windows.h>
#include <stdio.h>

main(int argc, char **argv)

{
	STARTUPINFO			Si;
	PROCESS_INFORMATION Pi;
	BOOL				rc;
	DWORD				ThreadId;
	HANDLE				hThread;

	if (argc!=2) {
		printf("Usage: %s <Exename>\n", argv[0]);
		return 0;
	}

	memset(&Si, 0, sizeof(Si));
	memset(&Pi, 0, sizeof(Pi));

	Si.cb=sizeof(Si);

	rc=CreateProcess(NULL,
					argv[1],
					NULL,
					NULL,
					FALSE,
					CREATE_SUSPENDED,
					NULL,
					NULL,
					&Si,
					&Pi);

	if (rc==FALSE) {
		printf("CreateProcess failed, rc=%d\n",
GetLastError());
		return 0;
	}

	hThread=CreateRemoteThread(Pi.hProcess,
						NULL,
						0,
						(LPTHREAD_START_ROUTINE)
						(GetProcAddress(GetModuleHandle("KERNEL32.DLL"),
									"ExitThread")),
						0,
						0,
						&ThreadId);
	if (hThread==NULL) {
		printf("Unable to create remote thread\n");
		TerminateProcess(Pi.hProcess, 0);
		goto Exit;
	}

	WaitForSingleObject(hThread, INFINITE);
	CloseHandle(hThread);

	ResumeThread(Pi.hThread);
	WaitForSingleObject(Pi.hProcess, INFINITE);

Exit:
	CloseHandle(Pi.hThread);
	CloseHandle(Pi.hProcess);
	return 0;
}
==========================================================================

Now this program works fine under Windows NT 4.0.

However under Windows
2000, for some applications this program fails to
work. 

e.g

If you start notepad.exe or regedt32.exe, it works
fine. 
If you start regedit.exe, regedit.exe starts but quits
immediately 
if you start taskmgr.exe, the task manager crashes
with the access violation 
error.

AFAIK, the loader initializations, implicitly linked
DLLs loading etc. 
happen as part of the first thread of the process. In
the above case, 
the DLL initializations happen as part of secondary
thread. It seems
that Windows 2000 does not like this fact. 

Can anybody on the list throw some light on this
behaviour?

Thanks.
-Prasad


=====
Prasad S. Dabak
Director of Engineering, Windows NT/2000 Division
Cybermedia Software Private Limited
http://www.cybermedia.co.in
Co-author of the book "Undocumented Windows NT"
ISBN 0764545698

__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/

---
You are currently subscribed to ntdev as: GlennEverhart@FirstUSA.com
To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com