#ifndef _NTPSAPI_H
#if (PHNT_VERSION >= PHNT_WIN11)

/**
 * Changes the suspension state of a process.
 *
 * @param ProcessStateChangeHandle A handle to the process state change object.
 * @param ProcessHandle A handle to the process.
 * @param StateChangeType The type of state change.
 * @param ExtendedInformation Optional extended information.
 * @param ExtendedInformationLength The length of the extended information.
 * @param Reserved Reserved for future use.
 * @return NTSTATUS Successful or errant status.
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtChangeProcessState(
    _In_ HANDLE ProcessStateChangeHandle,
    _In_ HANDLE ProcessHandle,
    _In_ PROCESS_STATE_CHANGE_TYPE StateChangeType,
    _In_opt_ _Reserved_ PVOID ExtendedInformation,
    _In_opt_ _Reserved_ SIZE_T ExtendedInformationLength,
    _In_opt_ _Reserved_ ULONG64 Reserved
    );

#endif
#endif
View code on GitHub

#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwChangeProcessState(
    _In_ HANDLE ProcessStateChangeHandle,
    _In_ HANDLE ProcessHandle,
    _In_ PROCESS_STATE_CHANGE_TYPE StateChangeType,
    _In_opt_ _Reserved_ PVOID ExtendedInformation,
    _In_opt_ _Reserved_ SIZE_T ExtendedInformationLength,
    _In_opt_ _Reserved_ ULONG64 Reserved
    );

#endif
View code on GitHub

Adjusts the state of a process via a process state object. This function offers a more resilient alternative mechanism to suspending processes, tying the duration of the operation to the lifetime of the state object.

Parameters

ProcessStateChangeHandle - a handle to the process state object created via NtCreateProcessStateChange. The handle must grant PROCESS_STATE_CHANGE_STATE access.
ProcessHandle - a handle to the associated process which state should be changed. For suspend and resume operations, this handle must grant PROCESS_SUSPEND_RESUME access.
StateChangeType - the type of the operation to perform.
ExtendedInformation - an optional pointer to a buffer with request-specific information. Currently unused.
ExtendedInformationLength - the size of the provided buffer. Currently unused.
Reserved - this parameter is unused and should be set to zero.

Operation types

For the list of supported operations, see PROCESS_STATE_CHANGE_TYPE.

Remarks

Closing the process state object handle via NtClose releases the reference. When the reference counter drops to zero, the system automatically undoes the effect of the state changes on the associated process.

This functionality is not exposed in Win32 API.

Required OS version

This function was introduced in Windows 11.

NtChangeProcessState - NtDoc

Parameters

Operation types

Remarks

Required OS version

See also

Parameters

Operation types

Remarks

Related Win32 API

Required OS version

See also