Overview
In Windows, a process is an executing instance of an application, and a thread is the basic unit of execution within a process. This document describes the architecture, lifecycle, and key mechanisms that govern processes and threads in modern Windows operating systems.
Process Lifecycle▼
- CreateProcess – Kernel creates a process object, allocates address space, and loads the executable.
- Initial Thread – The primary thread is created and starts at the process entry point.
- Execution – Threads schedule on CPUs, interacting with system services.
- Termination –
ExitProcesscleans up resources and notifies the kernel.
HANDLE hProcess = CreateProcess(
L"C:\\Windows\\System32\\notepad.exe",
NULL, NULL, NULL, FALSE,
0, NULL, NULL, &si, &pi);
Thread Management▼
Threads are represented by ETHREAD structures in the kernel. Key APIs include:
CreateThread/_beginthreadexTerminateThreadSuspendThread/ResumeThreadSetThreadPriority
DWORD WINAPI Worker(LPVOID param) {
// Thread body
return 0;
}
HANDLE hThread = CreateThread(NULL,0,Worker,NULL,0,NULL);
Scheduling & Priorities▼
Windows uses a preemptive, priority‑based scheduler. Each thread has a base priority (0‑31) and a dynamic priority adjusted by the kernel.
| Priority Class | Base Priority Range |
|---|---|
| Idle | 1‑4 |
| Below Normal | 6‑9 |
| Normal | 8‑13 |
| Above Normal | 10‑13 |
| High | 13‑15 |
| Realtime | 16‑31 |
Memory Layout▼
A process address space is divided into regions:
- Code (Text)
- Data (Initialized & Uninitialized)
- Heap
- Stack (per thread)
- Mapped Images (DLLs)
- Reserved/Guard pages
VirtualQueryEx(hProcess, addr, &info, sizeof(info));
Common APIs
| Function | Description |
|---|---|
| OpenProcess | Obtain a handle to an existing process. |
| TerminateProcess | Force termination of a process. |
| GetProcessId | Retrieve the PID of a process handle. |
| GetCurrentProcessId | Return the PID of the calling process. |
| SetProcessAffinityMask | Restrict a process to specific CPUs. |
| CreateRemoteThread | Inject a thread into another process. |