{"id":22043,"date":"2008-06-06T10:00:00","date_gmt":"2008-06-06T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2008\/06\/06\/why-does-openprocess-succeed-even-when-i-add-three-to-the-process-id\/"},"modified":"2008-06-06T10:00:00","modified_gmt":"2008-06-06T10:00:00","slug":"why-does-openprocess-succeed-even-when-i-add-three-to-the-process-id","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20080606-00\/?p=22043","title":{"rendered":"Why does OpenProcess succeed even when I add three to the process ID?"},"content":{"rendered":"<p>A customer noticed that if you add three to a process ID and pass it to the <code>OpenProcess<\/code> function, it still succeeds. Why is that?\n Well, first of all, I need to say up front that the behavior you&#8217;re seeing is an artifact of the implementation and is not part of the contract. You&#8217;re passing intentionally invalid parameters, <a href=\"http:\/\/blogs.msdn.com\/oldnewthing\/archive\/2006\/03\/20\/555511.aspx\"> what did you expect<\/a>? The context of this question is &#8220;We&#8217;re seeing this behavior and we can&#8217;t explain it,&#8221; not &#8220;We&#8217;re using this trick and want confirmation that it&#8217;s okay.&#8221;\n Now, you actually know the answer to this already.<\/p>\n<ul>\n<li>     <a href=\"http:\/\/blogs.msdn.com\/oldnewthing\/archive\/2008\/02\/28\/7925962.aspx\">     Why are process and thread IDs multiples of four<\/a>? <\/li>\n<li>     <a href=\"http:\/\/blogs.msdn.com\/oldnewthing\/archive\/2005\/01\/21\/358109.aspx\">     Kernel handles are always a multiple of four<\/a> <\/li>\n<\/ul>\n<p> As we saw earlier, for convenience, the Windows&nbsp;NT kernel uses the handle manager to parcel out process and thread IDs, and the handle manager ignores the bottom two bits of handles. Therefore, adding three has no effect on the process-id-to-object mapping.\n This mechanism is peculiar to kernels based on Windows&nbsp;NT. Versions of Windows derived from the Windows&nbsp;95 kernel have a different mechanism for mapping process IDs to processes, and that mechanism is <a href=\"http:\/\/www.northernattack.com\/archives\/drug-testing\/\"> unflinchingly rigid<\/a>. If you add three, the <code>OpenProcess<\/code> function will reject your process ID as invalid. And I don&#8217;t know how Windows&nbsp;CE handles it.\n Again, I wish to emphasize that the behavior you see in Windows&nbsp;NT-based kernels is just an implementation artifact which can change at any time. Who knows, maybe once they read this entry, the kernel folks will go in and change <code>OpenProcess<\/code> to be even more strict.<\/p>\n<p> <b>Pre-emptive Yuhong Bao comment<\/b>: &#8220;Process IDs on Windows&nbsp;95 are a pointer to an internal data structure XORed with a constant to obfuscate them.&#8221; <\/p>\n","protected":false},"excerpt":{"rendered":"<p>A customer noticed that if you add three to a process ID and pass it to the OpenProcess function, it still succeeds. Why is that? Well, first of all, I need to say up front that the behavior you&#8217;re seeing is an artifact of the implementation and is not part of the contract. You&#8217;re passing [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-22043","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>A customer noticed that if you add three to a process ID and pass it to the OpenProcess function, it still succeeds. Why is that? Well, first of all, I need to say up front that the behavior you&#8217;re seeing is an artifact of the implementation and is not part of the contract. You&#8217;re passing [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/22043","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=22043"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/22043\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=22043"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=22043"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=22043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}