Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Internals
  New Posts New Posts RSS Feed: Suspend a process
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Suspend a process
 Post Reply Post Reply Page  12>
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
ring0 View Drop Down
Newbie
Newbie
Avatar

Joined: 09 June 2008
Location: India
Online Status: Offline
Posts: 17 		  Quote ring0 Quote  Post ReplyReply Direct Link To This Post Topic: Suspend a process
    Posted: 09 January 2009 at 12:21pm
Hi,

Is there a way to suspend a process ?
The process explorer does have that option.
How does it do it? need help.
Cheers
- Ring0
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 09 January 2009 at 12:30pm
ntdll!NtSuspendProcess?
Daily affirmation:
net helpmsg 4006
Back to Top
deepgeorge View Drop Down
Newbie
Newbie
Avatar

Joined: 02 June 2008
Location: India
Online Status: Offline
Posts: 15 		  Quote deepgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 09 January 2009 at 4:05pm

Thanks for the info. it works fine.

Just for completeness-

I used pedump to see what is the corresponding kernel-mode function exported in ntoskrnl.exe. i could not find any.
Do you know how the user-mode ntdll!NtSuspendProcess works?
which kernel mode API does it invoke? does it involve a kernel mode transition at all?
Cheers
Deep GZ
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 09 January 2009 at 4:19pm
NtSuspendProcess does perform a kernel mode transition; ultimately, nt!NtSuspendProcess is called.

Unassembing ntdll!NtSuspendProcess shows a pretty small function that essentially just transitions into kernel mode to do the work.
Daily affirmation:
net helpmsg 4006
Back to Top
deepgeorge View Drop Down
Newbie
Newbie
Avatar

Joined: 02 June 2008
Location: India
Online Status: Offline
Posts: 15 		  Quote deepgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 09 January 2009 at 4:54pm
"NtSuspendProcess does perform a kernel mode transition; ultimately, nt!NtSuspendProcess is called"

which nt!NtSuspendProcess API are you referring to?
There is no such function exported from ntoskrnl.exe.
Are you saying NtSuspendProcess in ntdll.dll switches to kernel mode, suspends the process and switches back to user-mode?



Edited by deepgeorge - 09 January 2009 at 4:55pm
Cheers
Deep GZ
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 09 January 2009 at 4:59pm
Just because it's not exported, does not mean it does not exist.  Load the kernel module in the debugger, configure symbols, and unassemble nt!NtSuspendProcess.
Daily affirmation:
net helpmsg 4006
Back to Top
deepgeorge View Drop Down
Newbie
Newbie
Avatar

Joined: 02 June 2008
Location: India
Online Status: Offline
Posts: 15 		  Quote deepgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 10 January 2009 at 6:14am
Hi,

I was looking for the documentation of NtSuspendProcess and could not find it in MSDN.
Is it an undocumented API ? Do you know why MS decide to have it undocumented.

I am planning to use this function in one of my projects.
If this API is undocumented, MS may not support this API in future version of OS rite? Any idea if is it supported on Xp 64bit, Vista 32bit-64bit?

I also want to know if this API is synchronous/asynchronous.

Any other alternatives available for suspending a process?



Edited by deepgeorge - 10 January 2009 at 6:29am
Cheers
Deep GZ
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 10 January 2009 at 3:03pm
Is it an undocumented API
Essentially, yes.

MS may not support this API in future version of OS rite?
That is my understanding.

Any idea if is it supported on Xp 64bit, Vista 32bit-64bit?
Can't speak for x64, but I don't expect it to be different.  ntdll.dll exports this function, on 32-bit versions of XP and Vista.

Any other alternatives available for suspending a process?
You might consider suspending each thread in the process by calling kernel32!SuspendThread...
Daily affirmation:
net helpmsg 4006
Back to Top
Bruce9 View Drop Down
Groupie
Groupie


Joined: 30 May 2008
Online Status: Offline
Posts: 45 		  Quote Bruce9 Quote  Post ReplyReply Direct Link To This Post Posted: 10 January 2009 at 4:31pm
You can always get the source code for NtSuspendProcess() and any Win32 api on Adv. Win32 api ng (news://comp.os.ms-windows.programmer.win32)...
(MS, Wine, etc)


Edited by Bruce9 - 10 January 2009 at 4:32pm
Back to Top
deepgeorge View Drop Down
Newbie
Newbie
Avatar

Joined: 02 June 2008
Location: India
Online Status: Offline
Posts: 15 		  Quote deepgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 12 January 2009 at 2:05am

Hi bruce,

In which news server is this (news://comp.os.ms-windows.programmer.win32) group located?

I am trying to subscribe to this group. Its not found in msnews.microsoft.com news server.
I am using Binary News Reaper software.




Edited by deepgeorge - 12 January 2009 at 2:07am
Cheers
Deep GZ
Back to Top
 Post Reply Post Reply Page  12>

Forum Jump Forum Permissions View Drop Down

Privacy Statement