How can I monitor process/thread context switch using either kernel driver or API hooking in windows 7 ? I want to log the register values when a process (for e.g., internet explorer) goes into the resume/suspend state at the time of context switch.
How to monitor context switch in windows 7?
1.2k Views Asked by user2606719 At
1
There are 1 best solutions below
Related Questions in WINDOWS
- how to play a sounds in c# forms?
- Echo behaviour of Microsoft Windows Telnet Client
- Getting error while running spark-shell on my system; pyspark is running fine
- DirectX 9 With No SDK Installed - How To Translate a D3DMATRIX?
- Gradle 8.7 cannot find installed JDK 22 in IntelliJ
- 'IOException: The cloud file provider is not running', when trying to delete 'cloud' folder
- Cannot load modules/mod_dav_svn.so into server
- Issue with launching application after updating ElectronJs to version 28.0.0 on Windows and Linux
- 32-bit applications do not display some files in Windows 10
- 'bun' is not recognized as an internal or external command
- mkssecreenshotmgr taking a screenshot
- Next js installation in windows 7 os
- Can't resize a partition using Mini Tool?
- Is there any way to set a printer as default according with Active Directory Policy Security Group and PC hostname?
- Electron Printing not working on Windows (Works on Mac)
Related Questions in WINAPI
- How to immediately apply DISPLAYCONFIG_SCALING display scaling mode with SetDisplayConfig and DISPLAYCONFIG_PATH_TARGET_INFO
- Changing the theme of a #32768 (menu) window class at runtime
- Issue with GetOpenFileName while debugging
- How to populate a ListBox with SendMessage?
- Is there a function to end a child process?
- HDR video publishing
- Frameless Qt + WinAPI maximized window size is bigger than the availableGeometry()
- Mount .iso file with python
- What is Win32 x86-64 CONTEXT::VectorRegister for?
- WinAPI - right mouse drag & drop and IContextMenu
- Win32 per-filesystem cache tuning?
- Client connection timeout during Android & Windows PC communication via sockets
- MessageBoxEx sometimes shows as hollow window, border only, and only on Windows 11
- Win32api send message and Pydirectinput and Powertoy (Keyboard Manager ) Not working when open the application
- Would it be possible to run an application right after csrss.exe loads? (Windows)
Related Questions in MULTITASKING
- how do I add support for windowed mode [Or, small windowed mode, free form window, floating window, etc. ]?
- Multi-task Neural Network Model
- using multitasking.task to accelerate combine dataframe failed
- Is a thread nothing but a sequence of machine instructions?
- Why is FreeRTOS not preempting tasks?
- Python Multi-threading - How to kill all child threads when one of them raise an exception or failed
- Optimizing React Native Performance with Binance WebSocket for Real-Time Crypto Trading Data
- Problems with locking single producer, multiple consumer fifo queue
- My code with numba is slower than without numba
- The first exception inside the generator procedure takes a long time to handle on Windows 10
- Xenomai IPC buffers between realtime and non realtime threads
- Why are interrupts not triggered during an infinite printing loop task
- How to develop a multitasking problems mindset
- Microsoft Windows: is there a way to limit the number of commands running in parallel?
- From CMD, is it possible to execute a command after a for loop using start to launch several parallel tasks, but only AFTER all tasks have completed?
Related Questions in CONTEXT-SWITCH
- How is cpu's state saved by os without altering it?
- Why doesn't this pop instruction restore the register values?
- what's the exact performance cost of context switch within the same thread? (memory access -> page fault -> memory access again)
- Change Shipping method will throw out exception in Shopware6, although id exists in database
- Can a context switch between threads of the same process occure during signal handling?
- Difference in overhead of a mode switch vs intra-process context switch on Linux
- Linux vhost kvm exit upon guest sending a packet
- Too much context switches - how to be sure that it is actual problem?
- Is there a downside to using too many threads with pytest-xdist?
- Measure the performance impact of context switching within a executable binary
- How do real schedulers involved processes and threads work?
- From an fxsave dump, how to determine whether in x87 or MMX mode?
- RTOS on ARM microcontroller: why do we save the state of registers R4-R11 upon context switching
- ARM64 SVE registers not preserved when issuing a syscall, why does Linux discard SVE registers with sve_user_discard()?
- switch loses its state while scrolling even after getting saved
Related Questions in API-HOOK
- Block .exe files
- EasyHook library use
- When Hooking API with MinHook get "The value of ESP was not properly saved across a function call"
- ReactJS How to fetch only if a condition is true?
- Where are there areas in a program full of jmp instructions?
- How to intercept all calls to AfxThrowMemoryException
- can not find easyhook64.dll
- Prevent file from being (Deleted/Edited) in Runtime VB.NET
- How save the address of original function and call this later?
- GetWindowThreadProcessId() IAT hooking: How compare "dwProcessID" parameter?
- how can I refuse “save as” in winword by api hook
- Is possible hook EnumWindowsProc callback function?
- Linux Syscalls Hooking With Modern Kernel In x64 System
- hooking DoDragDrop() function from Ole32.dll library using EasyHook
- How can I safely unhook a Win32 API that blocks?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
The answer somewhat depends on what you want to accomplish and what restrictions you have.
I think you first need to narrow the scope somewhat over what the OP says. In particular "resume/suspend" aren't well enough defined to know what you want. In fact Windows doesn't have a "suspend process" API. Procmon suspends processes by suspending all the threads in a process.
I suspect you mean when a process switch occurs. A process switch doesn't occur without a thread switch. So what you may want to know is when a thread owned by process X is switched to a thread owned by IE (to use your example), and when a thread owned by IE is switched to a thread owned by some other process.
The simplest way I can think of is to use a kernel debugger (Windbg, KD) and set a breakpoint on the kernel function that switches threads. I don't remember what that function is offhand but you could disassemble any number of kernel APIs (eg WaitForSingleEvent) to see what they do when they need to block. They have to pass control to the thread dispatcher. Or simpler maybe, just look at at the stack dump of all the threads in the system process (get help on !process to see the option). Many of them will be in the dispatcher.
If you want to log thread switches you could write some debugger functions to 1) check if a process switch into/out of IE occurred 2) to log the data some how. However using the debugger won't be practical if you want to capture all the thread switches in an IE session. It would be far too slow.
Another possibility is Event Tracing for Windows (ETW). ETW is a big topic, so google for it. Look specifically for tracing of kernel of events: 1) how to turn on ETW for kernel dispatch events 2) how to capture the events to a file and 3) how to view/process the events in the file. You may have to write a program to postprocess the events to extract the ones you're interested in.
Finally you could google for Windows Kernel Hooking or similar. Microsoft has made hooking kernel APIs harder in later versions of windows - I don't know exactly what they did in Win7 versus Vista versus Win8, but you'll need to keep that in mind as your google. I do recall some kernel hooking activities coming out of Microsoft Research a number of years ago.
If you do find APIs to hook kernel APIs you'll be in for some driver development, unless you can also find a framework that lets you control everything from user mode.
You may have better results asking this on a site devoted to driver development, kernel hacking, etc. I know OSR has a pretty good set of resources, including message boards.
Good luck.