Processes and Threads (In Windows)

June 18, 2018

How Processes and Threads work in Windows In the Windows operating system, threads are different than processes, though every process contains at least one thread.

"A process is a container for a set of resources used to execute a program," write Mark Russinovich and Aaron Margosis, in the 2012 book " Windows Sysinternals Adminstrators' Reference."

A Windows process has a unique identifier called a process ID (PID) and at least one thread of execution. The process gets a set of a set of private virtual memory addresses to store reference data and code of an executable program. It keeps a copy of the parent process PID. The process also gets open handles to system resources, such as semaphores, communication ports, and files. An access token identifies the user, security groups, and various privileges. (A Windows extension called a job group sets of processes to run as a single job).

Windows executes the thread (it is incorrect to say it runs the "process"). The thread itself includes a thread ID (TID), contents of a set of CPU registers that hold two stacks - one for a kernel- mode thread and the other for a user-mode thread - as well as a pointer to the next machine instruction. The thread gets a space for thread-local storage (TLS) for access to run-time libraries and dynamic-link libraries (DLLs). All the threads of a single process share resources as well as a single virtual address space, so that all process threads can access one another's memory.

Keep in mind that “processes" do not “run.” They are only a holding mechanism for the threads, which the OS kernel actually executes. A process is typically a series of individual functions, often either a DLL or internal library call. The function either calls the next function action or hands control back to the previous one. This is the call-stack. Upon calling a subfunction, the function places at the top of the stack" the memory location of the next instruction to call once that subfunction is finished.

Process Examination

For Windows, the primary took for examining processes in depth is Process Explorer (Procexp) available as a free download. It can replace the built-in Task Explorer, which doesn't offer as much nuanced information.

Procexp offers several ways to examine processes. It will list the processes in a tree view, ]allowing you to drill down into each DLL or library call. It also offers, through the Handle view, a listing of all all the kernel objects opened by a process, be they files, folders, registry keys, network endpoints or other objects. Procexp also offers a more detailed view of each process’ CPU usage. Context switches are also shown.