NtGetNextThread - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers
#ifndef _NTPSAPI_H
// Processes
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#if (PHNT_VERSION >= PHNT_WS03)

NTSYSCALLAPI
NTSTATUS
NTAPI
NtGetNextThread(
    _In_ HANDLE ProcessHandle,
    _In_opt_ HANDLE ThreadHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ ULONG HandleAttributes,
    _In_ ULONG Flags,
    _Out_ PHANDLE NewThreadHandle
    );

#endif
#endif
#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwGetNextThread(
    _In_ HANDLE ProcessHandle,
    _In_opt_ HANDLE ThreadHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ ULONG HandleAttributes,
    _In_ ULONG Flags,
    _Out_ PHANDLE NewThreadHandle
    );

#endif

View code on GitHub

This function allows iterating over threads in a process without incurring any race conditions inherent to enumerating or opening threads by ID. Call this function repeatedly to open threads one by one.

Parameters

Access masks

For the list of thread-specific access masks, see NtOpenThread.

Notable return values

Remarks

NtGetNextThread automatically skips inaccessible threads. In other words, it only enumerates threads for which it can return handles with the specified desired access. However, if there are no threads that satisfy this criterion at the start of enumeration (when the input handle is NULL), the function returns the error accordingly (usually STATUS_ACCESS_DENIED) instead of STATUS_NO_MORE_ENTRIES.

To avoid retaining unused resources, call NtClose to close the returned handles when they are no longer required.

This function bypasses some access checks if the caller has the SeDebugPrivilege enabled.

Related Win32 API

This functionality is not exposed in Win32 API.

See also