Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

what is the difference between _EPROCESS object and _KPROCESS object

Tags:

windows

kernel

Upon analysis, I learnt that even _KPROCESS objects can be members of the ActiveProcessLinks list. What is the difference between _EPROCESS and _KPROCESS objects? When is one created and one not? What are the conceptual differences between them?

like image 571
Lelouch Lamperouge Avatar asked Apr 26 '11 12:04

Lelouch Lamperouge

2 Answers

This is simplified, but the kernel mode portion of the Windows O/S is broken up into three pieces: the HAL, the Kernel, and the Executive Subsystems. The Executive Subsystems deal with general O/S policy and operation. The Kernel deals with process architecture specific details for low level operations (e.g. spinlocks, thread switching) as well as scheduling. The HAL deals with differences that arise in particular implementations of a processor architecture (e.g. how interrupts are routed on this implementation of the x86). This is all explained in greater detail in the Windows Internals book.

When you create a new Win32 process, both the Kernel and the Executive Subsystems want to track it. For example, the Kernel wants to know the priority and affinity of the threads in the process because that's going to affect scheduling. The Executive Subsystems want to track the process because, for example, the Security Executive Subsystem wants to associate a token with the process so we can do security checking later.

The structure that the Kernel uses to track the process is the KPROCESS. The structure that the Executive Subsystems use to track it is the EPROCESS. As an implementation detail, the KPROCESS is the first field of the EPROCESS, so the Executive Subsystems allocate the EPROCESS structure and then call the Kernel to initialize the KPROCESS portion of it. In the end, both structures are part of the Process Object that represents the instance of the user process. This should also all be covered in the Windows Internals book.

-scott

like image 126
snoone Avatar answered Nov 14 '22 23:11

snoone

Have a look here:

http://channel9.msdn.com/Shows/Going+Deep/Arun-Kishan-Process-Management-in-Windows-Vista

EPROCESS is the kernel mode equivalent of the PEB from user mode. More details can be found in this document on Alex Ionescu's site as well as the book by Schreiber and other books about the NT internals.

Use dt in WinDbg to get an idea how they look.

like image 28
0xC0000022L Avatar answered Nov 14 '22 22:11

0xC0000022L
Sign in to Comment

Related questions

java.io.IOException: Cannot run program "python" using Spark in Pycharm (Windows)
Windows Script to move files older than 30 days with a specific extension to another folder
What may cause an ERR_CONNECTION_RESET error, on xampp while using session
Docker Installation Error on Windows behind Firewall
Copying Qt DLLs to executable directory on Windows using CMake
Wix MSI package : for Windows service
PowerShell "You must provide a value expression following the '/' operator" error when calling WinSCP.com
How to import sessions into MobaXterm?
batch: launch pipenv shell, then run command in the virtual environment
Python 3.7 - activate venv error Parameter format not correct 65001 WINDOWS
Copy a file without using the windows file cache
GCC on Windows: Set "Description" field of C executable?
Logic in Disk Defragmantation & Disk Check
Running a Windows program and detect when it ends with C++
What happens if I call GlobalLock(), then fail to call GlobalUnlock()?
Is there a way in windows to know if a process is not responding?
Windows Service needs to wait, Thread.Sleep?
Correct way of checking if threads are done?
Compiled C++ executables HUGE?
Copying a bitmap from another HBITMAP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!