PsLookupThreadByThreadId is failing with STATUS_INVALID_CID[0xC000000B]

OSR_Community_User · May 27, 2014, 8:12am

I have registered for thread notification callback using PsSetCreateThreadNotifyRoutine. In notification callback, I am calling PsLookupThreadByThreadId with ThreadID but it’s throwing me status as STATUS_INVALID_CID [0xC000000B]. I am doing same as mentioned in msdn library for PsLookupThreadByThreadId.

Using this code I am trying to get ETHREAD so that I can check whether Thread is system. If yes, don’t process otherwise do something.

Am I missing something ?

Thanks,
Subrat

Don_Burn · May 27, 2014, 8:22am

How are you going to check if the thread is a system thread using the
ETHREAD structure? The notification callback gives you the process ID, and
you can use that Id to determine if this is a system thread.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Tuesday, May 27, 2014 8:12 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] PsLookupThreadByThreadId is failing with
STATUS_INVALID_CID[0xC000000B]

I have registered for thread notification callback using
PsSetCreateThreadNotifyRoutine. In notification callback, I am calling
PsLookupThreadByThreadId with ThreadID but it’s throwing me status as
STATUS_INVALID_CID [0xC000000B]. I am doing same as mentioned in msdn
library for PsLookupThreadByThreadId.

Using this code I am trying to get ETHREAD so that I can check whether
Thread is system. If yes, don’t process otherwise do something.

Am I missing something ?

Thanks,
Subrat

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · May 27, 2014, 8:32am

PsIsSystemThread can help me in this case…

OSR_Community_User · May 28, 2014, 5:46am

@Don Am I doing something wrong ? Any idea why I am getting this error

~Subrat

OSR_Community_User · May 29, 2014, 2:36am

I solved it… It was a silly mistake…I was using wrong API. Please don’t mind.

Thanks,
Subrat