First, let me explain what I intend to do : as I've sometime to deal with some computers heavily infected with
mostly spyware, sometime virus, and that it can be really painfull when you have several process that respawn
each time you try to catch them, not talking about a computer that is exploiting 99% of it's memory.

I thought I could write a little tool to help me dealing with those case. The Tool basically enumerate all process,
and then enumerate all threads on each process, the idea is to suspend each thread to let me some time
to check what happen. Of course, I protect critical system process (currently smss, winlogon, services, lsass,
csrss and system), and I protect also my own prog and the two tools I need to work (regedit and cmd).

The enumeration of both process and thread seem to work well, the trouble is that when I launch my app,
regedit and cmd keep running fine (I can operate with them), all others process are freeze, sadly my own
application also is freezing. So I cannot resume all thread back. And that's my problem....

I've noticed that many thread of each process are related to the system process, so I thought I can as well
try to protect those threads, wich didn't change anything to the problem. I also noticed that it seem that
many process have some thread wich ParentID are my own application ID ???

So if anyone have some idea on what I've made wrong, I would appreciate any tips...

Posted on 2005-11-16 01:30:27 by Locky

I am not sure of this but I think what's going on is the following:

While you enumerate the processes some new process are created and some existing ones are destroyed, that can lead to giving your process an ID of a process that is in your enumerated list but is allready destroyed::
now when you suspend that particular process your own process is suspended instead of the one that is destroyed..

Not sure if this is really the case, but it's just what came to my mind..

I hope this helps you to analyes the problem forther...

Posted on 2005-11-17 17:56:50 by mistronr1
Thanks for the answer, sorry, I was a bit late to respond, out of order the last days...

Yeah, that's a good idea, maybe there is something like that and I'll try to make a check before
any suspend operation, it may help...


EDIT: I modified my prog to check each thread parent owner against my own PID and now my
process is working fine!! Great! cmd and regedit are freeze now so it's not a total victory but I
should be able to get around that.

Thanks again for your help
Posted on 2005-11-23 01:26:53 by Locky