# Identifying a new thread in another process...

## Recommended Posts

Idov    210
Hi!
Does anybody know if it's possible to identify a thread creation in another process?
The process must be asking it from the OS, so can we intercept this request somehow?
thanks :)

##### Share on other sites
ApochPiQ    23003
Sure; there's a couple of ways at least. The easiest is probably to attach to the process as a debugger; that'll get you a list of events such as forking of threads that you can monitor. At the other end of the scale is kernel API hooking, although I'm not personally up to date on the techniques for that so I can't make any specific recommendations offhand.

##### Share on other sites
Idov    210
Ok, then I will need to start that process with "DEBUG_PROCESS". will it affect the performance of the debugged process?

##### Share on other sites
Antheus    2409
Quote:
 Original post by IdovOk, then I will need to start that process with "DEBUG_PROCESS". will it affect the performance of the debugged process?

Possibly.

What are you really trying to do?

##### Share on other sites
Antheus    2409
Quote:
Original post by Antheus
Quote:
 Original post by IdovOk, then I will need to start that process with "DEBUG_PROCESS". will it affect the performance of the debugged process?

Possibly. Or it might not be possible to attach any useful debugging hook at all, either due to security or due to active counter-measures within application itself.

What are you really trying to do?

##### Share on other sites
Idov    210
Quote:
Original post by Antheus
Quote:
Original post by Antheus
Quote:
 Original post by IdovOk, then I will need to start that process with "DEBUG_PROCESS". will it affect the performance of the debugged process?

Possibly. Or it might not be possible to attach any useful debugging hook at all, either due to security or due to active counter-measures within application itself.

What are you really trying to do?

I'm trying to write a little profiler, so instead of going through all the threads in the system and picking those which belong to the other process, I'm trying to get them directly. :)

##### Share on other sites
ApochPiQ    23003
So you just need a list of running threads, but not a thread fork event monitor?

##### Share on other sites
Idov    210
Quote:
 Original post by ApochPiQSo you just need a list of running threads, but not a thread fork event monitor?Look at Thread32First and Thread32Next.

yes, I know these methods, but why go through all the threads if I can get only the ones I want?

##### Share on other sites
ApochPiQ    23003
I don't understand your question. A snapshot is of a single process, and you need all the threads from a process, so how is that different from "the ones you want"?

##### Share on other sites
Idov    210
Quote:
 Original post by ApochPiQI don't understand your question. A snapshot is of a single process, and you need all the threads from a process, so how is that different from "the ones you want"?

Because it returns all the threads from all the processes in the time of the snapshot.

"Includes all threads in the system in the snapshot. To enumerate the threads, see Thread32First.

To identify the threads that belong to a specific process, compare its process identifier to the th32OwnerProcessID member of the THREADENTRY32 structure when enumerating the threads."

I want to know only about a specific process without getting threads I really don't care about...

##### Share on other sites
ApochPiQ    23003
OK... so you're hung up on a single if() statement check to filter out the threads you don't want, versus having to do some serious low-level hackery to intercept thread spawn calls?

Priority check [wink]

##### Share on other sites
Idov    210
Quote:
 Original post by ApochPiQOK... so you're hung up on a single if() statement check to filter out the threads you don't want, versus having to do some serious low-level hackery to intercept thread spawn calls?Priority check [wink]

Yes, but I'm calling "Thread32Next" for each thread every time I'm looking for the threads I want. It's not just one "if" statement.

##### Share on other sites
kuroioranda    304
Quote:
Original post by Idov
Quote:
 Original post by ApochPiQOK... so you're hung up on a single if() statement check to filter out the threads you don't want, versus having to do some serious low-level hackery to intercept thread spawn calls?Priority check [wink]

Yes, but I'm calling "Thread32Next" for each thread every time I'm looking for the threads I want. It's not just one "if" statement.

I'm assuming you are worried about performance? On my machine, I currently have 552 threads running. An overhead of ~550 if() statements per sample frame is completely negligible on any modern CPU. It's a fraction of a fraction of a percent of what a CPU is capable of, and won't skew your results in any meaningful way.

##### Share on other sites
Idov    210
Quote:
Original post by kuroioranda
Quote:
Original post by Idov
Quote:
 Original post by ApochPiQOK... so you're hung up on a single if() statement check to filter out the threads you don't want, versus having to do some serious low-level hackery to intercept thread spawn calls?Priority check [wink]

Yes, but I'm calling "Thread32Next" for each thread every time I'm looking for the threads I want. It's not just one "if" statement.

I'm assuming you are worried about performance? On my machine, I currently have 552 threads running. An overhead of ~550 if() statements per sample frame is completely negligible on any modern CPU. It's a fraction of a fraction of a percent of what a CPU is capable of, and won't skew your results in any meaningful way.

ok, but it's not the "if" statement that worry me.
it's the "Thread32Next" that i'm afraid of.
Is this what you meant? that the "Thread32Next" doesn't affect the performance?

##### Share on other sites
kuroioranda    304
Quote:
Original post by Idov
Quote:
Original post by kuroioranda
Quote:
Original post by Idov
Quote:
 Original post by ApochPiQOK... so you're hung up on a single if() statement check to filter out the threads you don't want, versus having to do some serious low-level hackery to intercept thread spawn calls?Priority check [wink]

Yes, but I'm calling "Thread32Next" for each thread every time I'm looking for the threads I want. It's not just one "if" statement.

I'm assuming you are worried about performance? On my machine, I currently have 552 threads running. An overhead of ~550 if() statements per sample frame is completely negligible on any modern CPU. It's a fraction of a fraction of a percent of what a CPU is capable of, and won't skew your results in any meaningful way.

ok, but it's not the "if" statement that worry me.
it's the "Thread32Next" that i'm afraid of.
Is this what you meant? that the "Thread32Next" doesn't affect the performance?

Sorry, I misunderstood you, I actually was referring to the if() statements. But it applies to the Thread32Next() function as well.

Generally it's not worth worrying about the performance of individual function calls like that until you have actually had a profiler indicate they are using a significant amount of CPU time. It's easy to assume the worst (that it will be slow), but the reality is that it's probably not even going to be blip on your CPU.

If you're still nervous, though, why not try writing up a quick program that just loops over every thread in the system as many times as possible in one second, and see how many times you can do it? Then you will have quantifiable data to either back up or dispel your fears.

##### Share on other sites
Idov    210
hmmm... that's a good idea.
thanks :)

##### Share on other sites
Idov    210
NO!!!!!
I tried to run my program when it only gets the threads each sample and then again without getting the threads and found out that getting the threads takes almost all the CPU time...
I have about 700 threads in my system.

what should I do??? :(

##### Share on other sites
MaulingMonkey    1728
Quote:
 Original post by IdovI tried to run my program when it only gets the threads each sample and then again without getting the threads and found out that getting the threads takes almost all the CPU time...

Does your code actually... you know... do anything 'without getting the threads'?

Idov    210
yes :)

##### Share on other sites
XTAL256    106
I think what MaulingMonkey means is that your loop that "does not get the threads" is probably being optimised away so that it doesn't even get run.

I assume your test code looks something like this:
// Getting threadsget timefor (...) {    call Thread32Next}get timecalculate time difference// Not getting threadsget timefor (...) {    // do nothing}get timecalculate time difference

If that is the case, then the first loop will just run as fast as it can, using 100% CPU. And the second loop will be optimised away so that it doesn't even run.

If that is not the case, then your code could probably be optimised, because i doubt that a single function call could use that much CPU. And you should post your code so that we know what you are talking about without having to guess.

##### Share on other sites
Idov    210
No. It does stuff.
It really is a lot of code, so I'll use pseudo code.
basically it is something like that:

void GetThreads(){ // Here I use the example from MSDN http://msdn.microsoft.com/en-us/library/ms686852(v=VS.85).aspx}void Sample(){   GetThreads(); // When I checked it, I just removed this line.   for (int i = 0; i < numOfThreads; i++)      Walk The Stack Of The Thread And Stuff }void Run(){   GetThreads();   while(true)   {       Sample();       Sleep(20);   }}

##### Share on other sites
MaulingMonkey    1728
Quote:
 Original post by IdovNo. It does stuff.It really is a lot of code, so I'll use pseudo code.basically it is something like that:*** Source Snippet Removed ***

I would assume numOfThreads to be 0 if you removed GetThreads().

So, your Sample() function is effectively:

void Sample() {    for ( int i = 0 ; i < 0 ; i++ ) {        ...    }}

This can be rewritten as:

void Sample() {}

I recommend following kuroioranda's advice:

Quote:
 If you're still nervous, though, why not try writing up a quick program that just loops over every thread in the system as many times as possible in one second, and see how many times you can do it? Then you will have quantifiable data to either back up or dispel your fears.

Note well that this is completely different from "compare doing something to doing nothing with a sleep thrown in and then panicking if the process explorer shows the CPU usage skyrocketing". In part because there's no hard data there, only vague assumptions. There's a reason I literally can't remember a time I've seen Sleep()s in a performance test like this before — and it's not because it's an ingenious idea I'm afraid :).

kuroioranda would instead suggest finding out how many times you can call Sample() in 1 second. 5 times? 10 times? 100 times? 1000? You can find out!

##### Share on other sites
Idov    210
The number of threads is 1. I get it before the whlie(true) loop. :)
I will check how many samples I have in a second.
thanks :)

## Create an account or sign in to comment

You need to be a member in order to leave a comment

## Create an account

Sign up for a new account in our community. It's easy!

Register a new account