Dear friends
Is there any way to understand which instance of ntoskrnl.exe (ntoskrnl,
ntkrnlpa,ntkrnlmp,ntkrnlamp) is running in the typical system? I want to
know is there any API or registry entry to find the CPU information
(simgle/multiple processor - with PAE / without PAE ) with a program ?
Cheers
Jack
Hello Jack,
This can be determined by NT load image name and OS version number.
ZwQuerySystemInformation/SystemModuleInformation returns the list of loaded
kernel modules. Now you must look known NT kernel names up in that list.
Usually, it’s placed at the first position, but don’t rely on that.
5.x OSes use 4 different kernels:
ntoskrnl.exe (1 CPU)
ntkrnlmp.exe (N CPU, SMP)
ntkrnlpa.exe (1 CPU, PAE)
ntkrpamp.exe (N CPU, SMP, PAE)
For 6.x x86 OSes, single processor kernel is gone, so just PAE and non-PAE
remains. Multi-processor kernels were just renamed to ntoskrnl.exe and
ntkrnlmp.exe. XP/Vista 64-bit OSes use only one kernel: ntoskrnl.exe.
Petr
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jack sa
Sent: 23. kv?tna 2009 14:26
To: Windows System Software Devs Interest List
Subject: [ntdev] about instances of ntoskrnl.exe
Dear friends
Is there any way to understand which instance of ntoskrnl.exe (ntoskrnl,
ntkrnlpa,ntkrnlmp,ntkrnlamp) is running in the typical system? I want to
know is there any API or registry entry to find the CPU information
(simgle/multiple processor - with PAE / without PAE ) with a program ?
Cheers
Jack
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
This is not guaranteed to work; a custom kernel filename could be in use, specified by /kernel=.
From: Petr Kurtin
Sent: Saturday, May 23, 2009 08:33
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] about instances of ntoskrnl.exe
Hello Jack,
This can be determined by NT load image name and OS version number. ZwQuerySystemInformation/SystemModuleInformation returns the list of loaded kernel modules. Now you must look known NT kernel names up in that list. Usually, it?s placed at the first position, but don?t rely on that.
5.x OSes use 4 different kernels:
ntoskrnl.exe (1 CPU)
ntkrnlmp.exe (N CPU, SMP)
ntkrnlpa.exe (1 CPU, PAE)
ntkrpamp.exe (N CPU, SMP, PAE)
For 6.x x86 OSes, single processor kernel is gone, so just PAE and non-PAE remains. Multi-processor kernels were just renamed to ntoskrnl.exe and ntkrnlmp.exe. XP/Vista 64-bit OSes use only one kernel: ntoskrnl.exe.
Petr
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Jack sa
Sent: 23. kv?tna 2009 14:26
To: Windows System Software Devs Interest List
Subject: [ntdev] about instances of ntoskrnl.exe
Dear friends
Is there any way to understand which instance of ntoskrnl.exe (ntoskrnl, ntkrnlpa,ntkrnlmp,ntkrnlamp) is running in the typical system? I want to know is there any API or registry entry to find the CPU information (simgle/multiple processor - with PAE / without PAE ) with a program ?
Cheers
Jack
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
yes, you’re right
but it will work on relatively most systems - I don’t know about better
detection…
Petr
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: 23. kv?tna 2009 19:41
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] about instances of ntoskrnl.exe
This is not guaranteed to work; a custom kernel filename could be in use,
specified by /kernel=.
From: Petr Kurtin
Sent: Saturday, May 23, 2009 08:33
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] about instances of ntoskrnl.exe
Hello Jack,
This can be determined by NT load image name and OS version number.
ZwQuerySystemInformation/SystemModuleInformation returns the list of loaded
kernel modules. Now you must look known NT kernel names up in that list.
Usually, it’s placed at the first position, but don’t rely on that.
5.x OSes use 4 different kernels:
ntoskrnl.exe (1 CPU)
ntkrnlmp.exe (N CPU, SMP)
ntkrnlpa.exe (1 CPU, PAE)
ntkrpamp.exe (N CPU, SMP, PAE)
For 6.x x86 OSes, single processor kernel is gone, so just PAE and non-PAE
remains. Multi-processor kernels were just renamed to ntoskrnl.exe and
ntkrnlmp.exe. XP/Vista 64-bit OSes use only one kernel: ntoskrnl.exe.
Petr
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jack sa
Sent: 23. kv?tna 2009 14:26
To: Windows System Software Devs Interest List
Subject: [ntdev] about instances of ntoskrnl.exe
Dear friends
Is there any way to understand which instance of ntoskrnl.exe (ntoskrnl,
ntkrnlpa,ntkrnlmp,ntkrnlamp) is running in the typical system? I want to
know is there any API or registry entry to find the CPU information
(simgle/multiple processor - with PAE / without PAE ) with a program ?
Cheers
Jack
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
You can get the data, but it is painful. For the pathname it will either be
ntoskrnl.exe or ntkrnlpa.exe in the windows directory. You can determine
which, by checking the registry setting
HKLM\System\CurrentControlSet\Control\SystemStartOptions which gives you the
boot.ini options (it is supposed to work in later OS’es but I have not
verified this). Once you know which file, you can use GetFileVersionInfo
and related API’s to read the version block from the file and get the
original file name.
I did this for a tool that would add the partial checked build to a
configuration for you without following what was then Microsoft’s painful 12
step notes. Unfortunately, I never released the tool because Vista came out
and it only works for earlier versions, and in dealing with Vista, I found
that Microsoft made it too hard to contemplate.
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Petr Kurtin” wrote in message news:xxxxx@ntdev… yes, you’re right
but it will work on relatively most systems - I don’t know about better
detection…
Petr
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: 23. kvìtna 2009 19:41
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] about instances of ntoskrnl.exe
This is not guaranteed to work; a custom kernel filename could be in use,
specified by /kernel=.
- S
_____
From: Petr Kurtin
Sent: Saturday, May 23, 2009 08:33
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] about instances of ntoskrnl.exe
Hello Jack,
This can be determined by NT load image name and OS version number.
ZwQuerySystemInformation/SystemModuleInformation returns the list of loaded
kernel modules. Now you must look known NT kernel names up in that list.
Usually, it’s placed at the first position, but don’t rely on that.
5.x OSes use 4 different kernels:
ntoskrnl.exe (1 CPU)
ntkrnlmp.exe (N CPU, SMP)
ntkrnlpa.exe (1 CPU, PAE)
ntkrpamp.exe (N CPU, SMP, PAE)
For 6.x x86 OSes, single processor kernel is gone, so just PAE and non-PAE
remains. Multi-processor kernels were just renamed to ntoskrnl.exe and
ntkrnlmp.exe. XP/Vista 64-bit OSes use only one kernel: ntoskrnl.exe.
Petr
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jack sa
Sent: 23. kvìtna 2009 14:26
To: Windows System Software Devs Interest List
Subject: [ntdev] about instances of ntoskrnl.exe
Dear friends
Is there any way to understand which instance of ntoskrnl.exe (ntoskrnl,
ntkrnlpa,ntkrnlmp,ntkrnlamp) is running in the typical system? I want to
know is there any API or registry entry to find the CPU information
(simgle/multiple processor - with PAE / without PAE ) with a program ?
Cheers
Jack
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4098 (20090522)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Information from ESET NOD32 Antivirus, version of virus signature database 4098 (20090522) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
I can say that that registry value does seem to have the same information in Vista/Win7 at least in the case of custom kernel/hal paths, at least in my experience; don’t know whether the paths are there when hal/kernel aren’t used.
mm
“Jack sa” wrote in message news:xxxxx@ntdev…
> Dear friends
>
> Is there any way to understand which instance of ntoskrnl.exe (ntoskrnl,
> ntkrnlpa,ntkrnlmp,ntkrnlamp) is running in the typical system? I want to
> know is there any API or registry entry to find the CPU information
> (simgle/multiple processor - with PAE / without PAE ) with a program ?
Number fo processors:
Use KeQueryActiveProcessors or KeNumberProcessors for old systems.
If there are more than one procerssor, the kernel is obviously
multiprocessor.
Otherwise it can be either (on old systems that have UP kernels).
PAE support: use ExIsProcessorFeaturePresent()
That’s all. No need to dig for undocumented details.
Regards,
– pa
> HKLM\System\CurrentControlSet\Control\SystemStartOptions which gives you the
boot.ini options (it is supposed to work in later OS’es but I have not
verified this).
It is still here on 2008 x64 SP2 RTM - just checked.
Don’t have installed Win7 at hand.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Just use AuxKlibQueryModuleInformation.
//Daniel
“Jack sa” wrote in message news:xxxxx@ntdev…
>Dear friends
Is there any way to understand which instance of ntoskrnl.exe (ntoskrnl,
ntkrnlpa,ntkrnlmp,ntkrnlamp) is running in the typical system? I want to
know is there any API or registry entry to find the CPU information
(simgle/multiple processor - with PAE / without PAE ) with a program ?
Please use Pavel’s suggestion on how to approach the underlying issue instead, which is the documented and supportable way to determine if PAE or multiple processors are present from kernel mode code. (Beware hot-add CPUs when relying on processor counts.)
Any solution based on divining platform features by kernel filename is at best highly fragile. I would not want to be caught having to support that in the field. (And parsing version resources in kernel mode? Euch.)
-----Original Message-----
From: xxxxx@resplendence.com
Sent: Sunday, May 24, 2009 10:22
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] about instances of ntoskrnl.exe
Just use AuxKlibQueryModuleInformation.
//Daniel
“Jack sa” wrote in message news:xxxxx@ntdev…
>Dear friends
Is there any way to understand which instance of ntoskrnl.exe (ntoskrnl,
ntkrnlpa,ntkrnlmp,ntkrnlamp) is running in the typical system? I want to
know is there any API or registry entry to find the CPU information
(simgle/multiple processor - with PAE / without PAE ) with a program ?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> (And parsing version resources in kernel mode? Euch.)
That’s what caught my attention. Just getting that right using the user mode api’s, such as they are, and then using the information correctly can be surprisingly problematic. Doing this in the kernel would be pretty much inviting problems, I think.
mm
That will not catch a custom kernel filename with /kernel= will it ? And
when can you be sure this is a uniprocessor kernel ? Note that the question
here is not how many processors are running in the system. Auxklib is
documented AND gives you a definite answer about the filename of the kernel
so I would rethink that.
//Daniel
“Skywing” wrote in message
news:xxxxx@ntdev…
> Please use Pavel’s suggestion on how to approach the underlying issue
> instead, which is the documented and supportable way to determine if PAE
> or multiple processors are present from kernel mode code. (Beware hot-add
> CPUs when relying on processor counts.)
>
> Any solution based on divining platform features by kernel filename is at
> best highly fragile. I would not want to be caught having to support that
> in the field. (And parsing version resources in kernel mode? Euch.)
>
> - S
>
> -----Original Message-----
> From: xxxxx@resplendence.com
> Sent: Sunday, May 24, 2009 10:22
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] about instances of ntoskrnl.exe
>
>
> Just use AuxKlibQueryModuleInformation.
>
> //Daniel
>
>
> “Jack sa” wrote in message news:xxxxx@ntdev…
>>Dear friends
>
> Is there any way to understand which instance of ntoskrnl.exe (ntoskrnl,
> ntkrnlpa,ntkrnlmp,ntkrnlamp) is running in the typical system? I want to
> know is there any API or registry entry to find the CPU information
> (simgle/multiple processor - with PAE / without PAE ) with a program ?
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Reading this another time better shows he also does ask for processor
information but I considered this a separate question. But his request is
also “from a program” so I think a better answer is
EnumDeviceDrivers/GetDeviceDriverFileName for the kernel file name and
GetLogicalProcessorInformation for the processor info.
//Daniel
wrote in message news:xxxxx@ntdev…
> That will not catch a custom kernel filename with /kernel= will it ? And
> when can you be sure this is a uniprocessor kernel ? Note that the
> question here is not how many processors are running in the system.
> Auxklib is documented AND gives you a definite answer about the filename
> of the kernel so I would rethink that.
>
> //Daniel
>
>
> “Skywing” wrote in message
> news:xxxxx@ntdev…
>> Please use Pavel’s suggestion on how to approach the underlying issue
>> instead, which is the documented and supportable way to determine if PAE
>> or multiple processors are present from kernel mode code. (Beware
>> hot-add CPUs when relying on processor counts.)
>>
>> Any solution based on divining platform features by kernel filename is at
>> best highly fragile. I would not want to be caught having to support
>> that in the field. (And parsing version resources in kernel mode?
>> Euch.)
>>
>> - S
>>
>> -----Original Message-----
>> From: xxxxx@resplendence.com
>> Sent: Sunday, May 24, 2009 10:22
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] about instances of ntoskrnl.exe
>>
>>
>> Just use AuxKlibQueryModuleInformation.
>>
>> //Daniel
>>
>>
>> “Jack sa” wrote in message news:xxxxx@ntdev…
>>>Dear friends
>>
>> Is there any way to understand which instance of ntoskrnl.exe (ntoskrnl,
>> ntkrnlpa,ntkrnlmp,ntkrnlamp) is running in the typical system? I want to
>> know is there any API or registry entry to find the CPU information
>> (simgle/multiple processor - with PAE / without PAE ) with a program ?
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> Use KeQueryActiveProcessors or KeNumberProcessors for old systems. If there are more
than one procerssor, the kernel is obviously multiprocessor.
…but the opposite does not necessarily hold true - don’t forget about BIOSes that allow you to disable MP support .
Therefore, even if the CURRENT number of processors equals 1 it still may well happen that your host’s kernel and HAL versions are MP and not UP ones as you may expect - it will happen if user disables MP support after OS installation…
Anton Bassov
Thanks for all your useful responses?
Is there any APIs to call in user mode to detect ntoskrnl instance and
processor counts?
Cheers
Jack
You can use GetSystemInformation (http://msdn.microsoft.com/en-us/library/ms724381(VS.85).aspx) to determine number of processors. This function only works if there are fewer then 64 processors on the system or you need to use new Win7 API. For “instance” I am not quite sure what you mean by that…Thanks,
Alex
Date: Wed, 27 May 2009 11:44:35 -0800
Subject: Re: [ntdev] about instances of ntoskrnl.exe
From: xxxxx@gmail.com
To: xxxxx@lists.osr.comThanks for all your useful responses
Is there any APIs to call in user mode to detect ntoskrnl instance and
processor counts?Cheers
Jack
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Windows Live?: Keep your life in sync.
http://windowslive.com/explore?ocid=TXT_TAGLM_BR_life_in_synch_052009