{"id":111218,"date":"2025-05-26T07:00:00","date_gmt":"2025-05-26T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=111218"},"modified":"2025-05-26T10:50:02","modified_gmt":"2025-05-26T17:50:02","slug":"20250526-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20250526-00\/?p=111218","title":{"rendered":"Why does Enum­Process­Modules<\/CODE> report no modules on a process that was created suspended?"},"content":{"rendered":"

A customer had a test that created a process suspended, and without resuming it, they called Enum\u00adProcess\u00adModules<\/code> to see what modules are in it. The Enum\u00adProcess\u00adModules<\/code> reported no modules. Why is that? Shouldn’t it at least report the primary executable?<\/p>\n

Recall that in Windows, processes are self-loading, which means that they manage their own module list<\/a>. When the kernel creates a process, it sets the initial instruction pointer to an internal function inside ntdll.dll<\/tt>, provides information about what the new process should do (for example, the command line arguments), and then lets the process start executing. The function inside ntdll.dll<\/tt> does the work of loading all the modules, adding entries to the module list as it goes.<\/p>\n

If the process is created suspended, then it hasn’t started loading itself, which means that there is nothing in the module list.<\/p>\n

This is called out in the documentation for Enum\u00adProcess\u00adModules<\/code>:<\/p>\n

The Enum\u00adProcess\u00adModules<\/b> function is primarily designed for use by debuggers and similar applications that must extract module information from another process. If the module list in the target process is corrupted or not yet initialized<\/span>, or if the module list changes during the function call as a result of DLLs being loaded or unloaded, Enum\u00adProcess\u00adModules<\/b> may fail or return incorrect information<\/span>.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"

There are no modules yet because you didn’t give them a chance to load.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-111218","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"

There are no modules yet because you didn’t give them a chance to load.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/111218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=111218"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/111218\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=111218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=111218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=111218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}