NtTerminateProcess - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTPSAPI_H
//
// Processes
//
#if (PHNT_MODE != PHNT_MODE_KERNEL)
/**
* Terminates the specified process.
*
* \param ProcessHandle Optional. A handle to the process to be terminated. If this parameter is NULL, the calling process is terminated.
* \param ExitStatus The exit status to be used by the process and the process's termination status.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-zwterminateprocess
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtTerminateProcess(
_In_opt_ HANDLE ProcessHandle,
_In_ NTSTATUS ExitStatus
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwTerminateProcess(
_In_opt_ HANDLE ProcessHandle,
_In_ NTSTATUS ExitStatus
);
View code on GitHub// ntddk.h
NTSYSAPI NTSTATUS ZwTerminateProcess(
[in, optional] HANDLE ProcessHandle,
[in] NTSTATUS ExitStatus
);
View the official Windows Driver Kit DDI referenceForces the process to terminate. This function is documented in Windows Driver Kit.
ProcessHandle - an optional handle to a process granting PROCESS_TERMINATE access or the NtCurrentProcess pseudo-handle. The NULL value indicates the current process.ExitStatus - the exit code to use for the process.Note that specifying NULL as a process handle has a different semantic compared to using NtCurrentProcess. NtCurrentProcess immediately terminates the current process (without returning from the function) while NULL terminates all threads except for the calling, sets the exit status, and marks the process for self-delete. A second call to NtTerminateProcess with NULL completes termination.
To exit the current process gracefully, use RtlExitUserProcess.
Setting ExitStatus to DBG_TERMINATE_PROCESS automatically clears the process's debug object.
The process object becomes signalled after termination.
The ZwTerminateProcess routine terminates a process and all of its threads.
ProcessHandle [in, optional]A handle to the process object that represents the process to be terminated.
ExitStatus [in]An NTSTATUS value that the operating system uses as the final status for the process and each of its threads.
ZwTerminateProcess returns STATUS_SUCCESS if the operation succeeds. Additional return values include:
| Return code | Description |
|---|---|
| STATUS_OBJECT_TYPE_MISMATCH | The specified handle is not a process handle. |
| STATUS_INVALID_HANDLE | The specified handle is not valid. |
| STATUS_ACCESS_DENIED | The driver cannot access the specified process object. |
| STATUS_PROCESS_IS_TERMINATING | The specified process is already terminating. |
If the caller specifies the current process in the ProcessHandle parameter, ZwTerminateProcess does not return.
To obtain a process handle that a driver can specify for the ProcessHandle parameter, the driver can call ZwOpenProcess. The handle must be a kernel handle, a handle that can only be accessed in kernel mode. A handle is a kernel handle if it is created with the OBJ_KERNEL_HANDLE flag. For more info see InitializeObjectAttributes.
Drivers must not specify the current process if resources have not been freed from the kernel stack, because the operating system will not unwind the kernel stack for the calling thread.
If the call to this function occurs in user mode, you should use the name "NtTerminateProcess" instead of "ZwTerminateProcess".
For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.
Using Nt and Zw Versions of the Native System Services Routines
This function is documented in Windows Driver Kit.
If not specified, caller process is killed.