RtlCreateUserThread - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers
#ifndef _NTRTL_H

/**
 * The RtlCreateUserThread routine creates a thread in the specified process.
 *
 * \param ProcessHandle Handle to the process in which the thread is to be created.
 * \param ThreadSecurityDescriptor Optional pointer to a security descriptor for the new thread. If NULL, the thread gets a default security descriptor.
 * \param CreateSuspended If TRUE, the thread is created in a suspended state and must be resumed explicitly. If FALSE, the thread starts running immediately.
 * \param ZeroBits Optional number of high-order address bits that must be zero in the stack's base address. Usually set to 0.
 * \param MaximumStackSize Optional maximum size, in bytes, of the stack for the new thread. If 0, the default size is used.
 * \param CommittedStackSize Optional initial size, in bytes, of committed stack for the new thread. If 0, the default size is used.
 * \param StartAddress Pointer to the application-defined function to be executed by the thread.
 * \param Parameter Optional pointer to a variable to be passed to the thread function.
 * \param ThreadHandle Optional pointer to a variable that receives the handle of the new thread.
 * \param ClientId Optional pointer to a CLIENT_ID structure that receives the thread and process identifiers.
 * \return NTSTATUS Successful or errant status.
 */
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateUserThread(
    _In_ HANDLE ProcessHandle,
    _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
    _In_ BOOLEAN CreateSuspended,
    _In_opt_ ULONG ZeroBits,
    _In_opt_ SIZE_T MaximumStackSize,
    _In_opt_ SIZE_T CommittedStackSize,
    _In_ PUSER_THREAD_START_ROUTINE StartAddress,
    _In_opt_ PVOID Parameter,
    _Out_opt_ PHANDLE ThreadHandle,
    _Out_opt_ PCLIENT_ID ClientId
    );

#endif

View code on GitHub

NtDoc

Creates a new thread in the specified process.

Parameters

Remarks

To avoid retaining unused resources, call NtClose to close the returned handle when it is no longer required.

Implementation details

This function is a wrapper over NtCreateThreadEx.

Related Win32 API

See also

NTinternals.net (undocumented.ntinternals.net)

StackZeroBits

How many older bits must be clear while allocating thread stack. See INITIAL_TEB.

StartAddress

Thread start routine address.

Documented by

See also