New thread creation API in Windows 8


Windows 8 WDK introduces a new system thread creation API that solves a very common problem with drivers wherein a driver unloads before all the threads created by the driver are terminated. The kernel detects this situation and bug-checks the system with the stop code 0xCE (DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS).

The new API IoCreateSystemThread() takes in a device or driver object as a parameter (any other type of object causes bugcheck 0x148) and takes a reference on this object. I/O manager provides a wrapper function nt!IopThreadStart for running threads created with this new API. After the thread function completes the reference count on the object is dropped, this ensures that there is an outstanding reference on the device/driver object as long as threads created by the driver are executing.

Here is an example of SRV.sys thread runing within this wrapper:

9e56fc04 8186501b 00000800 8550ce20 8550cd40 nt!KiSwapContext+0x19 (FPO: [Uses EBP] [1,0,4])
9e56fc7c 819e25b9 8550cd40 8550ce20 00000000 nt!KiCommitThreadWait+0x280 (FPO: [5,23,4])
9e56fcf8 8186079c a0a21714 00000001 00000000 nt!KeRemoveQueueEx+0x28b (FPO: [6,21,4])
9e56fd1c a0a29350 a0a21714 00000001 00000000 nt!KeRemoveQueue+0x1c (FPO: [Non-Fpo])
9e56fd54 81abe5f6 00a21710 8550cd40 00000000 srv!WorkerThread+0x91 (FPO: [Non-Fpo])
9e56fd74 8186043e a0897ce8 f5bed83b 00000000 nt!IopThreadStart+0x23 (FPO: [Non-Fpo])
9e56fdb0 8196c119 81abe5d3 a0897ce8 00000000 nt!PspSystemThreadStartup+0x4a (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19