Hello, guys !

I consider your experience and ask you for a complex problem in my driver development.

Process in status "Deleting" in Softice still remains keeping so on. I have found nothing in Internet but 'osronline.com' forum where you discussed about. I can assure you, There were not any resources acquired, locked, waiting etc.. Also I dint use NTIFS. Simply I attached to DiskDevice and hooked for the IRPs. When I detached back, processes got terminating correctly, but once I had attached to it again, so newly loaded and exited applications remained 'Deleting'.

Please, help me to solve this. I think you can also be surprised by the same problem in the future.

With respect, Dmitry.
mailto: onelse@yahoo.com

--------------------------------
Message 1 in thread
Subject: Process in status "Deleting" in SoftIce
From: xxx@hotmail.com
Date: Mon, 12 Aug 2002 04:26:59 -0400


Hi all!

I have a question:

After i run my driver, i enter SoftIce and type the command "proc".
Every processs that started after my driver was up is staying in Status
"Deleting".
It looks something like this:

Process KPEB PID Threads Pri User Time Krnl Time Status
System 80E92838 4 32 8 00000000 00000158 Ready
sms1 FFB2AB98 19C 3 B 00000001 00000005 Idle
csrss FFB2B020 1DC A D 00000032 000002F8 Ready
winlogon 80D4AA28 1F4 13 D 0000003D 0000007E Ready
services FFA93BF8 220 F 9 00000025 00000080 Ready
lsass FFAA5BF8 234 15 9 00000019 00000016 Ready
svchost FFAA0A00 2E0 7 8 00000004 00000007 Idle
svchost FFAC1D80 314 3E 8 00000D76 000000AF Ready
svchost FFAF2DA8 3A4 5 8 00000001 00000003 Ready
svchost FFB0F3C8 3C0 0 8 00000004 00000007 Ready
spoolsv 80E694F8 418 E 8 00000002 00000002 Ready
defwatch FFADCB30 4D8 3 8 00000001 00000001 Idle
rtvscan FFAFAB30 518 26 8 0000000E 0000001F Ready
explorer FFBCFAF8 7E0 C 8 000000D2 00000346 Ready
vptray FFA89958 1C0 2 8 00000002 00000001 Ready
ctfmon FF92E958 1C4 1 8 00000004 00000004 Ready
dbgview ..... Deleting
dbgview ..... Deleting
dbgview ..... Deleting
MyProcess ... Deleting
MyProcess ... Deleting
MyProcess ... Deleting
*Idle 8053CB40 0 1 0 00000000 00383E43 Running

And every other process that i'll run will stay in the state Deleting.
these "Deleting" processes doesn't appear in the TaskManager and not in
the ProcessExplorer Application.

10x for your Help.

Guy.

Message 2 in thread
Subject: Re: Process in status "Deleting" in SoftIce
From: Dejan Maksimovic <xxx@alfasp.com>
Date: Mon, 12 Aug 2002 19:00:58 +0900


Simply put you have some code waiting for the resource, or perhaps some
other stuff that stops the process from shutting down (like locked memory, but
this would cause a BSOD not Deleting status)

Regards, Dejan.

xxx@hotmail.com wrote:

> Hi all!
>
> I have a question:
>
> After i run my driver, i enter SoftIce and type the command "proc".
> Every processs that started after my driver was up is staying in Status
> "Deleting".
> It looks something like this:
>
> Process KPEB PID Threads Pri User Time Krnl Time Status
> System 80E92838 4 32 8 00000000 00000158 Ready
> sms1 FFB2AB98 19C 3 B 00000001 00000005 Idle
> csrss FFB2B020 1DC A D 00000032 000002F8 Ready
> winlogon 80D4AA28 1F4 13 D 0000003D 0000007E Ready
> services FFA93BF8 220 F 9 00000025 00000080 Ready
> lsass FFAA5BF8 234 15 9 00000019 00000016 Ready
> svchost FFAA0A00 2E0 7 8 00000004 00000007 Idle
> svchost FFAC1D80 314 3E 8 00000D76 000000AF Ready
> svchost FFAF2DA8 3A4 5 8 00000001 00000003 Ready
> svchost FFB0F3C8 3C0 0 8 00000004 00000007 Ready
> spoolsv 80E694F8 418 E 8 00000002 00000002 Ready
> defwatch FFADCB30 4D8 3 8 00000001 00000001 Idle
> rtvscan FFAFAB30 518 26 8 0000000E 0000001F Ready
> explorer FFBCFAF8 7E0 C 8 000000D2 00000346 Ready
> vptray FFA89958 1C0 2 8 00000002 00000001 Ready
> ctfmon FF92E958 1C4 1 8 00000004 00000004 Ready
> dbgview ..... Deleting
> dbgview ..... Deleting
> dbgview ..... Deleting
> MyProcess ... Deleting
> MyProcess ... Deleting
> MyProcess ... Deleting
> *Idle 8053CB40 0 1 0 00000000 00383E43 Running
>
> And every other process that i'll run will stay in the state Deleting.
> these "Deleting" processes doesn't appear in the TaskManager and not in
> the ProcessExplorer Application.
>
> 10x for your Help.
>
> Guy.
>

--
Kind regards, Dejan M. www.alfasp.com
E-mail: xxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32 developers.


Message 3 in thread
Subject: Re: Process in status "Deleting" in SoftIce
From: Itai Shaham <xxx@infogateonline.com>
Date: Tue, 21 Jan 2003 11:13:24 +0200


hi

My guess is that you are using the undocumented PsLookupProcessByProcessId.

It seems like many developers are not aware to the fact that
PsLookupProcessByProcessId returns a referenced pointer to the
process(check PEPROCESS -0x18 before and after the call), leaving the
process in a state that SoftIce (and afaik only SoftIce detects) calls
"Deleting".

The solution would be to call ObDereferenceObject after every successful
call to PsLookupProcessByProcessId.

Itai

At 07:00 PM 8/12/2002 +0900, you wrote:

> Simply put you have some code waiting for the resource, or perhaps some
>other stuff that stops the process from shutting down (like locked memory, but
>this would cause a BSOD not Deleting status)
>
> Regards, Dejan.
>
>xxx@hotmail.com wrote:
>
> > Hi all!
> >
> > I have a question:
> >
> > After i run my driver, i enter SoftIce and type the command "proc".
> > Every processs that started after my driver was up is staying in Status
> > "Deleting".
> > It looks something like this:
> >
> > Process KPEB PID Threads Pri User Time Krnl Time Status
> > System 80E92838 4 32 8 00000000 00000158 Ready
> > sms1 FFB2AB98 19C 3 B 00000001 00000005 Idle
> > csrss FFB2B020 1DC A D 00000032 000002F8 Ready
> > winlogon 80D4AA28 1F4 13 D 0000003D 0000007E Ready
> > services FFA93BF8 220 F 9 00000025 00000080 Ready
> > lsass FFAA5BF8 234 15 9 00000019 00000016 Ready
> > svchost FFAA0A00 2E0 7 8 00000004 00000007 Idle
> > svchost FFAC1D80 314 3E 8 00000D76 000000AF Ready
> > svchost FFAF2DA8 3A4 5 8 00000001 00000003 Ready
> > svchost FFB0F3C8 3C0 0 8 00000004 00000007 Ready
> > spoolsv 80E694F8 418 E 8 00000002 00000002 Ready
> > defwatch FFADCB30 4D8 3 8 00000001 00000001 Idle
> > rtvscan FFAFAB30 518 26 8 0000000E 0000001F Ready
> > explorer FFBCFAF8 7E0 C 8 000000D2 00000346 Ready
> > vptray FFA89958 1C0 2 8 00000002 00000001 Ready
> > ctfmon FF92E958 1C4 1 8 00000004 00000004 Ready
> > dbgview ..... Deleting
> > dbgview ..... Deleting
> > dbgview ..... Deleting
> > MyProcess ... Deleting
> > MyProcess ... Deleting
> > MyProcess ... Deleting
> > *Idle 8053CB40 0 1 0 00000000 00383E43 Running
> >
> > And every other process that i'll run will stay in the state Deleting.
> > these "Deleting" processes doesn't appear in the TaskManager and not in
> > the ProcessExplorer Application.
> >
> > 10x for your Help.
> >
> > Guy.
> >
>
>--
>Kind regards, Dejan M. www.alfasp.com
>E-mail: xxx@alfasp.com ICQ#: 56570367
>Alfa File Monitor - File monitoring library for Win32 developers.
>Alfa File Protector - File protection and hiding library for Win32 developers.
>
>
>
>
>