Hello veterans,
Is there a way for a kernel driver to find out whether a process/thread has
a Windows/GUI? I know it is possible in user mode, but just wanted to see
if the same is possible in the kernel a well?
thanks
Pinto
What bigger problem are you trying to solve?
Bent from my phone
From: xxxxx@lists.osr.com on behalf of A P
Sent: Wednesday, April 5, 2017 8:04:17 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Does Process have a GUI?
Hello veterans,
Is there a way for a kernel driver to find out whether a process/thread has a Windows/GUI? I know it is possible in user mode, but just wanted to see if the same is possible in the kernel a well?
thanks
Pinto
— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at
On Apr 5, 2017, at 8:04 PM, A P wrote:
>
> Hello veterans,
>
> Is there a way for a kernel driver to find out whether a process/thread has a Windows/GUI? I know it is possible in user mode, but just wanted to see if the same is possible in the kernel a well?
As a general rule, “user interface” is a user-mode concept. Almost anything to do with user interfaces is very difficult to access from kernel mode.
—
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
*GUI*: if you want to show the thread running you can create a event and
share to the driver , create a thread running in the user mode , kernel
will get an handle through ioctl , create a thread in kernel mode will run
upon the user level.
Event notification from driver to user.
User runnning for kernel level.
On Thu, Apr 6, 2017 at 10:31 AM, Tim Roberts wrote:
> On Apr 5, 2017, at 8:04 PM, A P wrote:
> >
> > Hello veterans,
> >
> > Is there a way for a kernel driver to find out whether a process/thread
> has a Windows/GUI? I know it is possible in user mode, but just wanted to
> see if the same is possible in the kernel a well?
>
> As a general rule, “user interface” is a user-mode concept. Almost
> anything to do with user interfaces is very difficult to access from kernel
> mode.
> —
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer></http:></http:>
well tim,
i would think there is some conenction to the kernel, since it is possible
to send messaes from one process’s window to the other, which means the
kernel has some knowledge, else that would never work…swouldnt it?
On Wed, Apr 5, 2017 at 10:01 PM, Tim Roberts wrote:
> On Apr 5, 2017, at 8:04 PM, A P wrote:
> >
> > Hello veterans,
> >
> > Is there a way for a kernel driver to find out whether a process/thread
> has a Windows/GUI? I know it is possible in user mode, but just wanted to
> see if the same is possible in the kernel a well?
>
> As a general rule, “user interface” is a user-mode concept. Almost
> anything to do with user interfaces is very difficult to access from kernel
> mode.
> —
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer></http:></http:>
The kernel has no idea about hwnds or windows messages. That is handled by gdi with the help of win32k.sys
Bent from my phone
From: xxxxx@lists.osr.com on behalf of A P
Sent: Thursday, April 6, 2017 12:57:49 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Does Process have a GUI?
well tim,
i would think there is some conenction to the kernel, since it is possible to send messaes from one process’s window to the other, which means the kernel has some knowledge, else that would never work…swouldnt it?
On Wed, Apr 5, 2017 at 10:01 PM, Tim Roberts > wrote:
On Apr 5, 2017, at 8:04 PM, A P > wrote:
>
> Hello veterans,
>
> Is there a way for a kernel driver to find out whether a process/thread has a Windows/GUI? I know it is possible in user mode, but just wanted to see if the same is possible in the kernel a well?
As a general rule, “user interface” is a user-mode concept. Almost anything to do with user interfaces is very difficult to access from kernel mode.
?
Tim Roberts, xxxxx@probo.commailto:xxxxx
Providenza & Boekelheide, Inc.
—
NTDEV is sponsored by OSR
Visit the list online at: http:>
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:>
To unsubscribe, visit the List Server section of OSR Online at http:>
— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:></mailto:xxxxx>
This is not documented. There is a bitfield in the _KTHREAD structure called ThreadFlags. One of these bits is named GuiThread.
Just run the command « dt nt !_KTHREAD » in a debugger and you will see.
A P wrote:
i would think there is some conenction to the kernel, since it is
possible to send messaes from one process’s window to the other, which
means the kernel has some knowledge, else that would never
work…swouldnt it?
Of course it would. There are many ways to do interprocess
communication without involving the kernel. DLL with a shared section.
Shared memory-mapped file and events. Even if the kernel provides the
IPC plumbing, it doesn’t need to know what the content is.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
GUI capabilities are thread specific and not process specific. Although a process could be called a GUI process if one of its threads is a GUI thread.
For instance the Notepad process here has a GUI thread and two non-GUI threads.
kd> !process
PROCESS ffffdf0b23d64800
SessionId: 1 Cid: 113c Peb: e1de36a000 ParentCid: 052c
DirBase: 5dd0e000 ObjectTable: ffff9500433a9bc0 HandleCount:
Image: notepad.exe
…
THREAD ffffdf0b23d5a800 Cid 113c.0f90 Teb: 000000e1de36b000 Win32Thread: ffffdf0b2531f240 WAIT: (WrUserRequest) UserMode Non-Alertable
ffffdf0b261cd230 SynchronizationEvent
THREAD ffffdf0b261b7800 Cid 113c.13b0 Teb: 000000e1de36f000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffffdf0b23d85300 QueueObject
THREAD ffffdf0b23d66080 Cid 113c.0f40 Teb: 000000e1de371000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffffdf0b23d85300 QueueObject
kd> dt nt!_KTHREAD GuiThread ffffdf0b23d5a800
+0x078 GuiThread : 0y1
kd> dt nt!_KTHREAD GuiThread ffffdf0b261b7800
+0x078 GuiThread : 0y0
kd> dt nt!_KTHREAD GuiThread ffffdf0b23d66080
+0x078 GuiThread : 0y0
> For instance the Notepad process here has a GUI thread and two non-GUI threads.
This GuiThread flag most probably indicates that the thread has a Win32 message queue. Any thread automatically gets a message queue once it calls any related API. Then it becomes a “GUI thread”. If this is all Mr. Pinto wants to know, this _KTHREAD field looks like a solution.
– pa
The GuiThread solution discussed above is undocumented. If we are
discussing undocumented solution then perhaps calling the
undocumented NtUserBuildHwndList in the Kernel should also be discussed.
This is what the user mode API EnumWindows calls internally, and is perhaps
a bit more stanble thatn looking into windows structures and offsets? Those
are prone to change and cause additional maintenence headche from windows
version to version and service pack to service pack
On Fri, Apr 7, 2017 at 2:07 PM, wrote:
> > For instance the Notepad process here has a GUI thread and two non-GUI
> threads.
>
> This GuiThread flag most probably indicates that the thread has a Win32
> message queue. Any thread automatically gets a message queue once it calls
> any related API. Then it becomes a “GUI thread”. If this is all Mr. Pinto
> wants to know, this _KTHREAD field looks like a solution.
>
> – pa
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>
I’ve noticed that when a non-GUI thread loads USER32.DLL, the thread is GUI after the DllMain has returned.
When the Notepad is initialized, the main thread becomes a GUI thread when the DLL initialization routine of USER32.DLL has run and before WinMain has started.
So, I think that if an executable is linked with USER32.DLL, there is a great chance that the main thread will be a GUI thread.
thats interesting, just curious, have u tried with other graphics libs,
like SDL?
On Sat, Apr 8, 2017 at 6:45 PM, wrote:
> I’ve noticed that when a non-GUI thread loads USER32.DLL, the thread is
> GUI after the DllMain has returned.
>
>
>
> When the Notepad is initialized, the main thread becomes a GUI thread when
> the DLL initialization routine of USER32.DLL has run and before WinMain has
> started.
>
>
>
> So, I think that if an executable is linked with USER32.DLL, there is a
> great chance that the main thread will be a GUI thread.
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>
No but D3D11.DLL(DirectX) is linked to WIN32U.DLL just like USER32.DLL.
WIN32U.DLL is where some (at least) WIN32K.SYS system calls are exported.
The IsGUIThread API converts a non-GUI thread to a GUI thread with a
WIN32K.SYS system call.
Le 9 avr. 2017 05:35, “Ami Awbadhho” a écrit :
> thats interesting, just curious, have u tried with other graphics libs,
> like SDL?
>
> On Sat, Apr 8, 2017 at 6:45 PM, wrote:
>
>> I’ve noticed that when a non-GUI thread loads USER32.DLL, the thread is
>> GUI after the DllMain has returned.
>>
>>
>>
>> When the Notepad is initialized, the main thread becomes a GUI thread
>> when the DLL initialization routine of USER32.DLL has run and before
>> WinMain has started.
>>
>>
>>
>> So, I think that if an executable is linked with USER32.DLL, there is a
>> great chance that the main thread will be a GUI thread.
>>
>>
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at: http:>> lists.cfm?list=ntdev>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer>
>>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:>
On Wed, Apr 5, 2017 at 10:04 PM, A P wrote:
> Hello veterans,
>
> Is there a way for a kernel driver to find out whether a process/thread has
> a Windows/GUI? I know it is possible in user mode, but just wanted to see if
> the same is possible in the kernel a well?
>
> thanks
> Pinto
Hello,
If you read about Window’s user session compartmentalization you will
find a part where it is documented that some major drivers and
services did have graphical interfaces, but this has since been
explicitly deprecated and may not have been intentional behavior in
the first place. Based on the replies so far you may be able to
directly manipulate the Window queue but that might turn into
“puppeting” a user mode process instead of actually having a GUI
attached to your driver.
Cheers,
R0b0t1
thanks everyone for the pointers. looks like there is no way to do this in
the kernel in a documented fashion.
we have a user mode service running in session 0 (not the user session),
the actual win32 APIs EnumThreadWindows etc fail there as well if we try to
fetch the windo list for preocesses running in the user session. Is there a
way out here?
On Sun, Apr 9, 2017 at 7:06 PM, R0b0t1 wrote:
> On Wed, Apr 5, 2017 at 10:04 PM, A P wrote:
> > Hello veterans,
> >
> > Is there a way for a kernel driver to find out whether a process/thread
> has
> > a Windows/GUI? I know it is possible in user mode, but just wanted to
> see if
> > the same is possible in the kernel a well?
> >
> > thanks
> > Pinto
>
> Hello,
>
> If you read about Window’s user session compartmentalization you will
> find a part where it is documented that some major drivers and
> services did have graphical interfaces, but this has since been
> explicitly deprecated and may not have been intentional behavior in
> the first place. Based on the replies so far you may be able to
> directly manipulate the Window queue but that might turn into
> “puppeting” a user mode process instead of actually having a GUI
> attached to your driver.
>
> Cheers,
> R0b0t1
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>
A P wrote:
we have a user mode service running in session 0 (not the user
session), the actual win32 APIs EnumThreadWindows etc fail there as
well if we try to fetch the windo list for preocesses running in the
user session. Is there a way out here?
If you want to interact with the UI session, you will need to be part of
the UI session. The purpose of sessions is to keep these things separated.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Read about the windows station APIs. Assuming that your service is session aware, and you have the necessary permissions, you can probably do what you need.
Sent from Mailhttps: for Windows 10
From: Tim Robertsmailto:xxxxx
Sent: April 19, 2017 12:52 PM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: Re: [ntdev] Does Process have a GUI?
A P wrote:
>
> we have a user mode service running in session 0 (not the user
> session), the actual win32 APIs EnumThreadWindows etc fail there as
> well if we try to fetch the windo list for preocesses running in the
> user session. Is there a way out here?
If you want to interact with the UI session, you will need to be part of
the UI session. The purpose of sessions is to keep these things separated.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
—
NTDEV is sponsored by OSR
Visit the list online at: http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></mailto:xxxxx></mailto:xxxxx></https:>
Essentially if you are running a service to communicate with your
driver then you will need to create a process which communicates with
the service. The alternative is to eschew the service and only run the
GUI application.
I admit this seems slightly circuitous, but this is by far the best
way to compartmentalize driver interaction. Major software projects
(such as X11) implement this pattern and it behaves quite well. For an
independent developer it can be a bit of a burden, though.
On Tue, Apr 18, 2017 at 10:15 PM, A P wrote:
> thanks everyone for the pointers. looks like there is no way to do this in
> the kernel in a documented fashion.
>
> we have a user mode service running in session 0 (not the user session), the
> actual win32 APIs EnumThreadWindows etc fail there as well if we try to
> fetch the windo list for preocesses running in the user session. Is there a
> way out here?
>
> On Sun, Apr 9, 2017 at 7:06 PM, R0b0t1 wrote:
>>
>> On Wed, Apr 5, 2017 at 10:04 PM, A P wrote:
>> > Hello veterans,
>> >
>> > Is there a way for a kernel driver to find out whether a process/thread
>> > has
>> > a Windows/GUI? I know it is possible in user mode, but just wanted to
>> > see if
>> > the same is possible in the kernel a well?
>> >
>> > thanks
>> > Pinto
>>
>> Hello,
>>
>> If you read about Window’s user session compartmentalization you will
>> find a part where it is documented that some major drivers and
>> services did have graphical interfaces, but this has since been
>> explicitly deprecated and may not have been intentional behavior in
>> the first place. Based on the replies so far you may be able to
>> directly manipulate the Window queue but that might turn into
>> “puppeting” a user mode process instead of actually having a GUI
>> attached to your driver.
>>
>> Cheers,
>> R0b0t1
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at:
>> http:
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http:
>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on
> crash dump analysis, WDF, Windows internals and software drivers! Details at
> To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:>
I’m kind of perplexed why EnumThreadWindows isn’t working for you. Maybe the token needs modified? Though usually Microsoft is good about documenting that. Maybe try EnumWindows and GetWindowThreadProcessId. Then EnumChildWindows and walk the chain from there. Not the most direct method but worth a shot maybe.