NtGetNextThread - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers
#ifndef _NTPSAPI_H
//
// Processes
//
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#if (PHNT_VERSION >= PHNT_WS03)

/**
 * Retrieves a handle to the next thread in the system.
 *
 * @param ProcessHandle A handle to the process for enumerateration of threads.
 * @param ThreadHandle An optional handle to a thread. If this parameter is NULL, the function retrieves the first thread in the process.
 * @param DesiredAccess The access rights desired for the new process handle.
 * @param HandleAttributes The attributes for the new process handle.
 * @param Flags Flags that modify the behavior of the function. This can be a combination of the following flags:
 * - THREAD_GET_NEXT_FLAGS_PREVIOUS_THREAD (0x00000001): Retrieve the previous thread in the process.
 * @param NewProcessHandle A pointer to a variable that receives the handle to the next process.
 * @return NTSTATUS Successful or errant status.
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtGetNextThread(
    _In_ HANDLE ProcessHandle,
    _In_opt_ HANDLE ThreadHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ ULONG HandleAttributes,
    _In_ ULONG Flags,
    _Out_ PHANDLE NewThreadHandle
    );

#endif
#endif
#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwGetNextThread(
    _In_ HANDLE ProcessHandle,
    _In_opt_ HANDLE ThreadHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ ULONG HandleAttributes,
    _In_ ULONG Flags,
    _Out_ PHANDLE NewThreadHandle
    );

#endif

View code on GitHub

This function allows iterating over threads in a process without incurring any race conditions inherent to enumerating or opening threads by ID. Call this function repeatedly to open threads one by one.

Parameters

Access masks

For the list of thread-specific access masks, see NtOpenThread.

Notable return values

Remarks

NtGetNextThread automatically skips inaccessible threads. In other words, it only enumerates threads for which it can return handles with the specified desired access. However, if there are no threads that satisfy this criterion at the start of enumeration (when the input handle is NULL), the function returns the error accordingly (usually STATUS_ACCESS_DENIED) instead of STATUS_NO_MORE_ENTRIES.

To avoid retaining unused resources, call NtClose to close the returned handles when they are no longer required.

This function bypasses some access checks if the caller has the SeDebugPrivilege enabled.

Related Win32 API

This functionality is not exposed in Win32 API.

See also