What happens and parameters passed when a new process is created

  • Article

Via this blog I have just tried to show What exactly happens when a new process is created and what all structures are required and parameters

passed to that process.

 

What ever mentioned below is all extracted from different places of windows SDK and I have tried to forward a easy picture for understanding

purpose.

The CreateProcessAsUser function creates a new process and its primary thread. The new process then runs the specified executable file.

There are other functions also for creating process like CreateProcess and CreateprocessWithLogonW but I have chosen

CreateProcessAsUser one to explain.

 BOOL CreateProcessAsUser( 

   HANDLE hToken , 

   LPCTSTR lpApplicationName , 

   LPTSTR lpCommandLine , 

   LPSECURITY_ATTRIBUTES lpProcessAttributes , 

   LPSECURITY_ATTRIBUTES lpThreadAttributes , 

   BOOL bInheritHandles , 

   DWORD dwCreationFlags , 

   LPVOID lpEnvironment , 

   LPCTSTR lpCurrentDirectory , 

   LPSTARTUPINFO lpStartupInfo , 

   LPPROCESS_INFORMATION lpProcessInformation

);

Now a little explained version in regards to all the parameters passed to the function CreateProcessAsUser

 BOOL CreateProcessAsUser( 

   HANDLE hToken ,--------------  Handle to a primary token that represents a user.

   LPCTSTR lpApplicationName ,------------  Pointer to a null-terminated string that specifies the module to execute.

  The specified module can be a Windows-based application.

   LPTSTR lpCommandLine , -------- Pointer to a null-terminated string that specifies the command line to execute.

 If both lpApplicationName and lpCommandLine are non-NULL, *lpApplicationName specifies the module to execute, 

 and *lpCommandLine specifies the command line.

   LPSECURITY_ATTRIBUTES lpProcessAttributes ,-------------  Pointer to a SECURITY_ATTRIBUTES structure that specifies

  a security descriptor for the new process and determines whether child processes can inherit the returned handle. If lpProcessAttributes 

 is NULL or lpSecurityDescriptor  is NULL, the process gets a default security descriptor and the handle cannot be inherited. 

 The default security descriptor is that of the user referenced in the hToken parameter. This security descriptor may not allow access for the caller, 

 in which case the process may not be opened again after it is run. The process handle is valid and will continue to have full access rights.

 lpSecurityDescriptor

A pointer to a security descriptor for the object that controls the sharing of it. If NULL is specified for this member, the object

is assigned the default security descriptor of the calling process. This is not the same as granting access to everyone by

assigning a NULL discretionary access control list (DACL). The default security descriptor is based on the default DACL of

the access token belonging to the calling process. By default, the default DACL in the access token of a process allows access

only to the user represented by the access token. If other users must access the object, you can either create a security

descriptor with the appropriate access, or add ACEs to the DACL that grants access to a group of users.

 

   LPSECURITY_ATTRIBUTES lpThreadAttributes , --- Pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor

  for the new process and determines whether child processes can inherit the returned handle. If lpThreadAttributes is NULL or

  lpSecurityDescriptor is NULL, the thread gets a default security descriptor and the handle cannot be inherited. The default security

  descriptor is that of the user referenced in the hToken parameter. This security descriptor may not allow access for the caller.

   BOOL bInheritHandles ,-----  If this parameter is TRUE, each inheritable handle in the calling process is inherited by the new process. 

 If the parameter is FALSE, the handles are not inherited. Note that inherited handles have the same value and access rights as the original handles.

   DWORD dwCreationFlags ,---  control the priority class and the creation of the process.

The GetPriorityClass function retrieves the priority class for the specified process. This value, together with the priority value of each thread 

of the process, determines each thread's base priority level. The operating system uses the base priority level of all executable threads to

determine which thread gets the next slice of CPU time. Threads are scheduled in a round-robin fashion at each priority level, and only when

 there are no executable threads at a higher level will scheduling of threads at a lower level take place.

 

   LPVOID lpEnvironment ,------  Pointer to an environment block for the new process. If this parameter is NULL, the new process uses

  the environment of the calling process.

   LPCTSTR lpCurrentDirectory ,------------  Pointer to a null-terminated string that specifies the full path to the current directory for

  the process. If this parameter is NULL, the new process will have the same current drive and directory as the calling process.

   LPSTARTUPINFO lpStartupInfo ,----------  Pointer to a STARTUPINFO structure that specifies the window station, desktop, standard

  handles, and appearance of the main window for the new process.

 For graphical user interface (GUI) processes, this information affects the first window created by the CreateWindow function and 

 shown by the ShowWindow function. For console processes, this information affects the console window if a new console is created

  for the process.  A process can use the GetStartupInfo function to retrieve the STARTUPINFO structure specified when the process

  was created.

 

   LPPROCESS_INFORMATION lpProcessInformation ----------- Pointer to a PROCESS_INFORMATION structure that receives identification 

 information about the new process. This structure contains information about the newly created process and its primary thread.

  typedef struct _PROCESS_INFORMATION {



   HANDLE hProcess;



   HANDLE hThread;



   DWORD dwProcessId;



   DWORD dwThreadId;

 } PROCESS_INFORMATION, 



 *LPPROCESS_INFORMATION;

 If the function succeeds, be sure to call the CloseHandle function to close the hProcess and hThread handles when you are finished with them. 

 Otherwise, when the child process exits, the system cannot clean up these handles because the parent process did not close them. 

 However, the system will close these handles when the parent process terminates, so they would be cleaned up at this point.

);

By default, CreateProcessAsUser creates the new process on a noninteractive window station with a desktop that is not visible and cannot

receive user input. To enable user interaction with the new process, you must specify the name of the default interactive window station and

desktop, "winsta0\default",in the lpDesktop member of the STARTUPINFO structure.

The preferred way to shut down a process is by using the ExitProcess function, because this function sends notification of approaching

termination to all DLLs attached to the process. Other means of shutting down a process do not notify the attached DLLs. Note that when

a thread calls ExitProcess, other threads of the process are terminated without an opportunity to execute any additional code (including

the thread termination code of attached DLLs).

PLEASE LEVEAGE THE WINDOWS SDK FOR MORE ON SAME.

 

===========================

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.