RtlCreateUserThread - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTRTL_H
/**
* The RtlCreateUserThread routine creates a thread in the specified process.
*
* \param ProcessHandle Handle to the process in which the thread is to be created.
* \param ThreadSecurityDescriptor Optional pointer to a security descriptor for the new thread. If NULL, the thread gets a default security descriptor.
* \param CreateSuspended If TRUE, the thread is created in a suspended state and must be resumed explicitly. If FALSE, the thread starts running immediately.
* \param ZeroBits Optional number of high-order address bits that must be zero in the stack's base address. Usually set to 0.
* \param MaximumStackSize Optional maximum size, in bytes, of the stack for the new thread. If 0, the default size is used.
* \param CommittedStackSize Optional initial size, in bytes, of committed stack for the new thread. If 0, the default size is used.
* \param StartAddress Pointer to the application-defined function to be executed by the thread.
* \param Parameter Optional pointer to a variable to be passed to the thread function.
* \param ThreadHandle Optional pointer to a variable that receives the handle of the new thread.
* \param ClientId Optional pointer to a CLIENT_ID structure that receives the thread and process identifiers.
* \return NTSTATUS Successful or errant status.
*/
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateUserThread(
_In_ HANDLE ProcessHandle,
_In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
_In_ BOOLEAN CreateSuspended,
_In_opt_ ULONG ZeroBits,
_In_opt_ SIZE_T MaximumStackSize,
_In_opt_ SIZE_T CommittedStackSize,
_In_ PUSER_THREAD_START_ROUTINE StartAddress,
_In_opt_ PVOID Parameter,
_Out_opt_ PHANDLE ThreadHandle,
_Out_opt_ PCLIENT_ID ClientId
);
View code on GitHubCreates a new thread in the specified process.
ProcessHandle - a handle to the process where the thread should be created. This can either be the NtCurrentProcess pseudo-handle or a handle with PROCESS_CREATE_THREAD access.ThreadSecurityDescriptor - a security descriptor to protect the new thread with.CreateSuspended - whether the new thread should be created in a suspended state or allowed to run immediately. When specifying TRUE, you can use NtResumeThread to resume the thread later.ZeroBits - the number of high-order address bits that must be zero in the base address of the thread's stack. Note that when the value is larger than 32, it becomes a bit mask.MaximumStackSize - the maximum size of the stack, in bytes. The system rounds this value up to the nearest page. If this parameter is zero, the new thread uses the default size for the executable.CommittedStackSize - the initial size of the stack, in bytes. The system rounds this value up to the nearest page. If this parameter is zero, the new thread uses the default size for the executable.StartAddress - the function to execute on the new thread.Parameter - a user-provided argument to pass to the thread start routine.ThreadHandle - an optional pointer to a variable that receives a handle to the new thread.ClientId - an optional pointer to a variable that receives the client ID of the new thread.To avoid retaining unused resources, call NtClose to close the returned handle when it is no longer required.
This function is a wrapper over NtCreateThreadEx.