ZwSuspendProcess() fails with STATUS_OBJECT_TYPE_MISMATCH

Greetings,

I have been using ZwSuspendProcess() to suspend process from a notifier that is called when a process is created(registered it using PsSetCreateProcessNotifyRoutine()).

I open the process handle like this:
InitializeObjectAttributes(&ObjAttributes, NULL,
195 OBJ_KERNEL_HANDLE, NULL, NULL);
196
197 ClientId.UniqueProcess = ProcessId;
198 ClientId.UniqueThread = NULL;
199
200 Status = ZwOpenProcess(&ProcessHandle, PROCESS_ALL_ACCESS,
201 &ObjAttributes, &ClientId);
202 if (!NT_SUCCESS(Status)) {
203 ProcessHandle = NULL;
204 goto out;
205 }

And then call ZwSuspendProcess():

Status = ZwSuspendProcess(ProcessHandle);
208 if (!NT_SUCCESS(Status)) {
209 PPERROR(“Failed suspending process %u: %x”,
210 ProcessId, Status);
211 goto out;
212 }

I know it’s not documented, but this worked perfectly on Windows 7 (32bit, 64bit) and on Windows 10(32bit), but fails on WIndows 10 64 bit, because
ZwSuspendProcess() returns STATUS_OBJECT_TYPE_MISMATCH.

The type of the object of course is EPROCESS(just to be sane, i checked by using ObReferenceObjectByHandle(), and it’s successfull)

Any hints, ideas?

Thank you.

Yup. Here’s my idea: This is precisely what can happen when you use undocumented functions, which is why we tell people to avoid doing so. They’re undocumented for a reason. Shit changes from release to release… When Devs find holes, issues, or they just change the way a function works because they want to. When a function’s not documented, it’s fair game.

Sorry… I know you don’t want to hear that. But it’s the truth…

Peter
OSR
@OSRDrivers