Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars

Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 2  
12 Apr 18 10:52
MIsha Paranski
Join Date: 18 May 2017
Posts To This List: 23
ZwSuspendProcess() fails with STATUS_OBJECT_TYPE_MISMATCH

Greetings, I have been using ZwSuspendProcess() to suspend process from a notifier that is called when a process is created(registered it using PsSetCreateProcessNotifyRoutine()). I open the process handle like this: InitializeObjectAttributes(&ObjAttributes, NULL, 195 OBJ_KERNEL_HANDLE, NULL, NULL); 196 197 ClientId.UniqueProcess = ProcessId; 198 ClientId.UniqueThread = NULL; 199 200 Status = ZwOpenProcess(&ProcessHandle, PROCESS_ALL_ACCESS, 201 &ObjAttributes, &ClientId); 202 if (!NT_SUCCESS(Status)) { 203 ProcessHandle = NULL; 204 goto out; 205 } And then call ZwSuspendProcess(): Status = ZwSuspendProcess(ProcessHandle); 208 if (!NT_SUCCESS(Status)) { 209 PPERROR("Failed suspending process %u: %x", 210 ProcessId, Status); 211 goto out; 212 } I know it's not documented, but this worked perfectly on Windows 7 (32bit, 64bit) and on Windows 10(32bit), but fails on WIndows 10 64 bit, because ZwSuspendProcess() returns STATUS_OBJECT_TYPE_MISMATCH. The type of the object of course is EPROCESS(just to be sane, i checked by using ObReferenceObjectByHandle(), and it's successfull) Any hints, ideas? Thank you.
  Message 2 of 2  
12 Apr 18 14:55
Peter Viscarola
Join Date:
Posts To This List: 6243
List Moderator
ZwSuspendProcess() fails with STATUS_OBJECT_TYPE_MISMATCH

<quote> Any hints, ideas? </quote> Yup. Here's my idea: This is precisely what can happen when you use undocumented functions, which is why we tell people to avoid doing so. They're undocumented for a reason. Shit changes from release to release... When Devs find holes, issues, or they just change the way a function works because they want to. When a function's not documented, it's fair game. Sorry... I know you don't want to hear that. But it's the truth... Peter OSR @OSRDrivers
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 09:48.

Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license