Solved

How to Kill a specific NTVDM instance ?

Posted on 2002-07-03
8
277 Views
Last Modified: 2008-02-01
I am running 2 16 bit applications in different memory space in Windows 2000.
So two instances of ntvdm are loaded.
How to get the process ID of a specific ntvdm ?

Thanks
0
Comment
Question by:masvmasv
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 7127638
See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q178893 ("HOWTO: Terminate an Application "Cleanly" in Win32 (Q178893)"). The sample code there also deals with the '16bit issue":

   /*----------------------------------------------------------------
   DWORD WINAPI Terminate16App( DWORD dwPID, DWORD dwThread,
                        WORD w16Task, DWORD dwTimeout )

   Purpose:
      Shut down a Win16 APP.

   Parameters:
      dwPID
         Process ID of the NTVDM in which the 16-bit application is
         running.

      dwThread
         Thread ID of the thread of execution for the 16-bit
         application.

      w16Task
         16-bit task handle for the application.

      dwTimeout
         Wait time in milliseconds before shutting down the task.

   Return Value:
      If successful, returns TA_SUCCESS_16
      If unsuccessful, returns TA_FAILED.
      NOTE:  These values are defined in the header for this
      function.

   NOTE:
      You can get the Win16 task and thread ID through the
      VDMEnumTaskWOW() or the VDMEnumTaskWOWEx() functions.
   ----------------------------------------------------------------*/
   DWORD WINAPI Terminate16App( DWORD dwPID, DWORD dwThread,
                        WORD w16Task, DWORD dwTimeout )
   {
      HINSTANCE      hInstLib ;
      TERMINFO      info ;

      // You will be calling the functions through explicit linking
      // so that this code will be binary compatible across
      // Win32 platforms.
      BOOL (WINAPI *lpfVDMTerminateTaskWOW)(DWORD dwProcessId,
         WORD htask) ;

      hInstLib = LoadLibraryA( "VDMDBG.DLL" ) ;
      if( hInstLib == NULL )
         return TA_FAILED ;

      // Get procedure addresses.
      lpfVDMTerminateTaskWOW = (BOOL (WINAPI *)(DWORD, WORD ))
         GetProcAddress( hInstLib, "VDMTerminateTaskWOW" ) ;

      if( lpfVDMTerminateTaskWOW == NULL )
      {
         FreeLibrary( hInstLib ) ;
         return TA_FAILED ;
      }

      // Post a WM_CLOSE to all windows that match the ID and the
      // thread.
      info.dwID = dwPID ;
      info.dwThread = dwThread ;
      EnumWindows((WNDENUMPROC)Terminate16AppEnum, (LPARAM) &info) ;

      // Wait.
      Sleep( dwTimeout ) ;

      // Then terminate.
      lpfVDMTerminateTaskWOW(dwPID, w16Task) ;

      FreeLibrary( hInstLib ) ;
      return TA_SUCCESS_16 ;
   }

0
 

Author Comment

by:masvmasv
ID: 7127653
Thanks... but:
"How to get the process ID of a specific ntvdm ?"


0
 
LVL 86

Expert Comment

by:jkr
ID: 7127668
That's also mentioned in the article:

If you wish to shut down a single 16-bit application within a NTVDM process, following are the steps you need to take:
Post a WM_CLOSE to all Top-Level windows that are owned by the process, and that have the same owning thread ID as the 16-bit task you want to shut down. The most effective way to do this is by using EnumWindows(). In your callback function, check to see if the window's process ID and thread ID matches the 16-bit task you want to shut down. Remember that the process ID is going to be the process ID of the NTVDM process in which the 16-bit application is running.


Although you have a thread ID, you have no way to wait on the termination of the 16-bit process. As a result, you must wait for an arbitrary length of time (to allow a clean shut down), and then try to shut the application down anyway. If the application has already shut down, then this will do nothing. If it hasn't shut down, then it will terminate the application.


Terminate the application using a function called VDMTerminateTaskWOW(), which can be found in the Vdmdbg.dll. It takes the process ID of the VDM and the task number of the 16-bit task.


This approach allows you to shut down a single 16-bit application within a VDM under Windows NT. However, 16-bit Windows is not very good at cleaning up resources of a terminated task, and neither is the WOWExec running in the VDM. If you are looking for the cleanest possible approach to terminating a 16-bit application under Windows NT, you should consider terminating the entire VDM process. NOTE: If you are starting a 16-bit application that you may terminate later, then use the CREATE_SEPARATE_WOW_VDM with CreateProcess().
0
 

Author Comment

by:masvmasv
ID: 7129705
Hi !

This is not a good way... I explain:
Both programs run with SW_HIDE mode... and are console programs and dont have a windows...

But... I need know how the correct NTVDM for each application...

Thanks
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 2

Accepted Solution

by:
Serega earned 75 total points
ID: 7137109
Each of your program is running in the separate window. These windows have class "ConsoleWindowClass" as far as they are running in the console.
0
 
LVL 2

Expert Comment

by:Serega
ID: 7137120
btw, see the Miccrosoft KB article Q175030 to find the process ID of an NTVDM

http://support.microsoft.com/support/kb/articles/Q175/0/30.ASP
0
 
LVL 11

Expert Comment

by:griessh
ID: 7439516
Dear masvmasv

I think you forgot this question. I will ask Community Support to close it unless you finalize it within 7 days. You can always request to keep this question open. But remember, experts can only help you if you provide feedback to their questions.
Unless there is objection or further activity,  I will suggest to split between

     "jkr & serega"

comment(s) as an answer.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
======
Werner
0
 
LVL 6

Expert Comment

by:Mindphaser
ID: 7479681
Force accepted

** Mindphaser - Community Support Moderator **

jkr, there will be a separate question with points for your help.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

What is C++ STL?: STL stands for Standard Template Library and is a part of standard C++ libraries. It contains many useful data structures (containers) and algorithms, which can spare you a lot of the time. Today we will look at the STL Vector. …
This article shows you how to optimize memory allocations in C++ using placement new. Applicable especially to usecases dealing with creation of large number of objects. A brief on problem: Lets take example problem for simplicity: - I have a G…
The viewer will learn how to user default arguments when defining functions. This method of defining functions will be contrasted with the non-default-argument of defining functions.
The viewer will be introduced to the member functions push_back and pop_back of the vector class. The video will teach the difference between the two as well as how to use each one along with its functionality.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now