NtCreateThreadStateChange - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTPSAPI_H
#if (PHNT_VERSION >= PHNT_WIN11)
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateThreadStateChange(
_Out_ PHANDLE ThreadStateChangeHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ThreadHandle,
_In_opt_ ULONG64 Reserved
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwCreateThreadStateChange(
_Out_ PHANDLE ThreadStateChangeHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ThreadHandle,
_In_opt_ ULONG64 Reserved
);
View code on GitHubCreates a new thread state object. This object offers a more resilient alternative to suspending threads, tying the duration of the operation to the lifetime of the state object. To change the state of the thread state object, use NtChangeThreadState.
ThreadStateChangeHandle - a pointer to a variable that receives a handle to the new thread state object.DesiredAccess - the access mask to provide on the returned handle. This value is usually THREAD_STATE_ALL_ACCESS.ObjectAttributes - an optional pointer to an OBJECT_ATTRIBUTES structure that specifies attributes of the new object/handle.ThreadHandle - a handle to the associated thread. The handle must grant THREAD_SET_INFORMATION access.Reserved - this parameter is unused and should be set to zero.To avoid retaining unused resources, call NtClose to close the returned handle when it is no longer required. When the reference counter on the thread state object drops to zero, the system automatically undoes the effect of the state changes on the associated thread.
This functionality is not exposed in Win32 API.
This function was introduced in Windows 11.