NtQueryInformationThread - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTPSAPI_H
//
// Threads
//
#if (PHNT_MODE != PHNT_MODE_KERNEL)
/**
* Retrieves information about the specified thread.
*
* \param ThreadHandle A handle to the thread.
* \param ThreadInformationClass The type of thread information to be retrieved.
* \param ThreadInformation A pointer to a buffer that receives the thread information.
* \param ThreadInformationLength The size of the buffer pointed to by the ThreadInformation parameter.
* \param ReturnLength An optional pointer to a variable that receives the size of the data returned.
* \return NTSTATUS Successful or errant status.
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationThread(
_In_ HANDLE ThreadHandle,
_In_ THREADINFOCLASS ThreadInformationClass,
_Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength,
_Out_opt_ PULONG ReturnLength
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwQueryInformationThread(
_In_ HANDLE ThreadHandle,
_In_ THREADINFOCLASS ThreadInformationClass,
_Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength,
_Out_opt_ PULONG ReturnLength
);
View code on GitHub// winternl.h
__kernel_entry NTSTATUS NtQueryInformationThread(
[in] HANDLE ThreadHandle,
[in] THREADINFOCLASS ThreadInformationClass,
[in, out] PVOID ThreadInformation,
[in] ULONG ThreadInformationLength,
[out, optional] PULONG ReturnLength
);
View the official Win32 API referenceQueries various information about the specified thread. This function is partially documented in Windows Driver Kit and Windows SDK.
ThreadHandle - a handle to the thread or the NtCurrentThread pseudo-handle. For most information classes, the handle must grant either THREAD_QUERY_INFORMATION or THREAD_QUERY_LIMITED_INFORMATION access.ThreadInformationClass - the type of information to retrieve.ThreadInformation - a pointer to user-allocated buffer that receives the requested information.ThreadInformationLength - the size of the provided buffer in bytes.ReturnLength - an optional pointer to a variable that receives the number of bytes written when the function succeeds or the number of bytes requires when the buffer is too small.For the list of supported info classes and required thread access, see THREADINFOCLASS.
STATUS_BUFFER_TOO_SMALL and STATUS_INFO_LENGTH_MISMATCH indicate that the requested information does not fit into the provided buffer.GetThreadInformationGetThreadIdGetProcessIdOfThreadGetExitCodeThreadGetThreadDescriptionGetThreadIOPendingFlagGetThreadPriorityGetThreadTimesWow64GetThreadContext[NtQueryInformationThread may be altered or unavailable in future versions of Windows. Applications should use the alternate functions listed in this topic.]
Retrieves information about the specified thread.
ThreadHandle [in]A handle to the thread about which information is being requested.
ThreadInformationClass [in]If this parameter is the ThreadIsIoPending value of the THREADINFOCLASS enumeration, the function determines whether the thread has any I/O operations pending.
Use the public function GetThreadIOPendingFlag instead to obtain this information.
If this parameter is the ThreadQuerySetWin32StartAddress value of the THREADINFOCLASS enumeration, the function returns the start address of the thread. Note that on versions of Windows prior to Windows Vista, the returned start address is only reliable before the thread starts running.
If this parameter is the ThreadSubsystemInformation value of the THREADINFOCLASS enumeration, the function retrieves a SUBSYSTEM_INFORMATION_TYPE value indicating the subsystem type of the thread. The buffer pointed to by the ThreadInformation parameter should be large enough to hold a single SUBSYSTEM_INFORMATION_TYPE enumeration.
ThreadInformation [in, out]A pointer to a buffer in which the function writes the requested information. If ThreadIsIoPending is specified for the ThreadInformationClass parameter, this buffer must be large enough to hold a ULONG value, which indicates whether the specified thread has I/O requests pending. If this value is equal to zero, then there are no I/O operations pending; otherwise, if the value is nonzero, then the thread does have I/O operations pending.
Use the public function GetThreadIOPendingFlag instead to obtain this information.
If ThreadQuerySetWin32StartAddress is specified for the ThreadInformationClass parameter, this buffer must be large enough to hold a PVOID value, which is the start address of the thread.
ThreadInformationLength [in]The size of the buffer pointed to by the ThreadInformation parameter, in bytes.
ReturnLength [out, optional]A pointer to a variable in which the function returns the size of the requested information. If the function was successful, this is the size of the information written to the buffer pointed to by the ThreadInformation parameter, but if the buffer was too small, this is the minimum size of buffer required to receive the information successfully.
Returns an NTSTATUS success or error code.
The forms and significance of NTSTATUS error codes are listed in the Ntstatus.h header file available in the DDK, and are described in the DDK documentation under Kernel-Mode Driver Architecture / Design Guide / Driver Programming Techniques / Logging Errors.
The NtQueryInformationThread function is internal to the operating system and subject to change from one release of Windows to another. To maintain the compatibility of your application, it is better to use the public function previously mentioned instead.
If you do use NtQueryInformationThread, access the function through run-time dynamic linking. This gives your code an opportunity to respond gracefully if the function has been changed or removed from the operating system. Signature changes, however, may not be detectable.
This function has no associated import library. You must use the LoadLibrary and GetProcAddress functions to dynamically link to Ntdll.dll.
This function is documented in Windows SDK.
Handle to Thread Object opened with THREAD_QUERY_INFORMATION access.
Information class defined in THREAD_INFORMATION_CLASS enumerated type.
Caller's allocated buffer for results.
Length of buffer, in bytes.
Optional pointer to required buffer length.
See THREAD_INFORMATION_CLASS for more information.
NtSetInformationThreadTHREAD_INFORMATION_CLASS