Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain the competitive edge you need with powerful AI and Cloud solutions by attending Microsoft Ignite online.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Updates the specified attribute in a list of attributes for process and thread creation.
BOOL UpdateProcThreadAttribute(
[in, out] LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList,
[in] DWORD dwFlags,
[in] DWORD_PTR Attribute,
[in] PVOID lpValue,
[in] SIZE_T cbSize,
[out, optional] PVOID lpPreviousValue,
[in, optional] PSIZE_T lpReturnSize
);
[in, out] lpAttributeList
A pointer to an attribute list created by the InitializeProcThreadAttributeList function.
[in] dwFlags
This parameter is reserved and must be zero.
[in] Attribute
The attribute key to update in the attribute list. This parameter can be one of the following values.
Value | Meaning |
---|---|
|
The lpValue parameter is a pointer to a GROUP_AFFINITY structure that specifies the processor group affinity for the new thread.
Supported in Windows 7 and newer and Windows Server 2008 R2 and newer. |
|
The lpValue parameter is a pointer to a list of handles to be inherited by the child process.
These handles must be created as inheritable handles and must not include pseudo handles such as those returned by the GetCurrentProcess or GetCurrentThread function. Note if you use this attribute, pass in a value of TRUE for the bInheritHandles parameter of the CreateProcess function.
|
|
The lpValue parameter is a pointer to a PROCESSOR_NUMBER structure that specifies the ideal processor for the new thread.
Supported in Windows 7 and newer and Windows Server 2008 R2 and newer. |
|
The lpValue parameter is a pointer to a WORD that specifies the machine architecture of the child process.
Supported in Windows 11 and newer. The WORD pointed to by lpValue can be a value listed on IMAGE FILE MACHINE CONSTANTS. |
|
The lpValue parameter is a pointer to a DWORD or DWORD64 that specifies the exploit mitigation policy for the child process. Starting in Windows 10, version 1703, this parameter can also be a pointer to a two-element DWORD64 array.
The specified policy overrides the policies set for the application and the system and cannot be changed after the child process starts running. The DWORD or DWORD64 pointed to by lpValue can be one or more of the values listed in the remarks. Supported in Windows 7 and newer and Windows Server 2008 R2 and newer. |
|
The lpValue parameter is a pointer to the handle of a process to use (instead of the calling process) as the parent for the process being created. The handle for the process used must have the PROCESS_CREATE_PROCESS access right.
Attributes inherited from the specified process include handles, the device map, processor affinity, priority, quotas, the process token, and job object. (Note that some attributes such as the debug port will come from the creating process, not the process specified by this handle.) |
|
The lpValue parameter is a pointer to the node number of the preferred NUMA node for the new process.
Supported in Windows 7 and newer and Windows Server 2008 R2 and newer. |
|
The lpValue parameter is a pointer to a UMS_CREATE_THREAD_ATTRIBUTES structure that specifies a user-mode scheduling (UMS) thread context and a UMS completion list to associate with the thread.
After the UMS thread is created, the system queues it to the specified completion list. The UMS thread runs only when an application's UMS scheduler retrieves the UMS thread from the completion list and selects it to run. For more information, see User-Mode Scheduling. Supported in Windows 7 and newer and Windows Server 2008 R2 and newer. Not supported in Windows 11 and newer (see User-Mode Scheduling). |
|
The lpValue parameter is a pointer to a SECURITY_CAPABILITIES structure that defines the security capabilities of an app container. If this attribute is set the new process will be created as an AppContainer process.
Supported in Windows 8 and newer and Windows Server 2012 and newer. |
|
The lpValue parameter is a pointer to a DWORD value of PROTECTION_LEVEL_SAME. This specifies the protection level of the child process to be the same as the protection level of its parent process.
Supported in Windows 8.1 and newer and Windows Server 2012 R2 and newer. |
|
The lpValue parameter is a pointer to a DWORD value that specifies the child process policy. The policy specifies whether to allow a child process to be created.
For information on the possible values for the DWORD to which lpValue points, see Remarks. Supported in Windows 10 and newer and Windows Server 2016 and newer. |
|
This attribute is relevant only to win32 applications that have been converted to UWP packages by using the Desktop Bridge.
The lpValue parameter is a pointer to a DWORD value that specifies the desktop app policy. The policy specifies whether descendant processes should continue to run in the desktop environment. For information about the possible values for the DWORD to which lpValue points, see Remarks. Supported in Windows 10 Version 1703 and newer and Windows Server Version 1709 and newer. |
|
The lpValue parameter is a pointer to a list of job handles to be assigned to the child process, in the order specified.
Supported in Windows 10 and newer and Windows Server 2016 and newer. |
|
The lpValue parameter is a pointer to a DWORD64 value that specifies the set of optional XState features to enable for the new thread.
Supported in Windows 11 and newer and Windows Server 2022 and newer. |
[in] lpValue
A pointer to the attribute value. This value must persist until the attribute list is destroyed using the DeleteProcThreadAttributeList function.
[in] cbSize
The size of the attribute value specified by the lpValue parameter.
[out, optional] lpPreviousValue
This parameter is reserved and must be NULL.
[in, optional] lpReturnSize
This parameter is reserved and must be NULL.
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.
An attribute list is an opaque structure that consists of a series of key/value pairs, one for each attribute. A process can update only the attribute keys described in this topic.
The DWORD or DWORD64 pointed to by lpValue can be one or more of the following values when you specify PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY for the Attribute parameter:
The following mitigation options are available for mandatory ASLR policy:
The following mitigation options are available for heap terminate on corruption policy:
The following mitigation options are available for the bottom-up randomization policy:
The following mitigation options are available for the high-entropy bottom-up randomization policy:
The following mitigation options are available for the strict handle checking enforcement policy:
The following mitigation options are available for the Win32k system call disable policy:
The following mitigation options are available for the extension point disable policy:
The following mitigation options are available for controlling the CFG policy:
The following mitigation options are available for the dynamic code policy:
The following mitigation options are available for the binary signature policy:
The following mitigation options are available for the font loading prevention policy:
The following mitigation options are available for the image loading policy:
Windows 10, version 2004: The following values are available only in Windows 10, version 2004 or later.
Hardware-enforced Stack Protection (HSP) is a hardware-based security feature where the CPU verifies function return addresses at runtime by employing a shadow stack mechanism. For user-mode HSP, the default mode is compatibility mode, where only shadow stack violations occurring in modules that are considered compatible with shadow stacks (CETCOMPAT) are fatal. In strict mode, all shadow stack violations are fatal.
The following mitigation options are available for user-mode Hardware-enforced Stack Protection and related features:
Instruction Pointer validation:
Blocking the load of non-CETCOMPAT/non-EHCONT binaries:
Restricting certain HSP APIs used to specify security properties of dynamic code to only be callable from outside of the process:
The FSCTL system call disable policy, if enabled, prevents a process from making NtFsControlFile calls. The following mitigation options are available for the FSCTL system call disable policy:
The DWORD pointed to by lpValue can be one or more of the following values when you specify PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY for the Attribute parameter:
PROCESS_CREATION_CHILD_PROCESS_RESTRICTED 0x01
The process being created is not allowed to create child processes. This restriction becomes a property of the token as which the process runs. It should be noted that this restriction is only effective in sandboxed applications (such as AppContainer) which ensure privileged process handles are not accessible to the process. For example, if a process restricting child process creation is able to access another process handle with PROCESS_CREATE_PROCESS or PROCESS_VM_WRITE access rights, then it may be possible to bypass the child process restriction.
PROCESS_CREATION_CHILD_PROCESS_OVERRIDE 0x02
The process being created is allowed to create a child process, if it would otherwise be restricted. You can only specify this value if the process that is creating the new process is not restricted.
The DWORD pointed to by lpValue can be one or more of the following values when you specify PROC_THREAD_ATTRIBUTE_DESKTOP_APP_POLICY for the Attribute parameter:
PROCESS_CREATION_DESKTOP_APP_BREAKAWAY_ENABLE_PROCESS_TREE 0x01
The process being created will create any child processes outside of the desktop app runtime environment. This behavior is the default for processes for which no policy has been set.
PROCESS_CREATION_DESKTOP_APP_BREAKAWAY_DISABLE_PROCESS_TREE 0x02
The process being created will create any child processes inside of the desktop app runtime environment. This policy is inherited by the descendant processes until it is overridden by creating a process with PROCESS_CREATION_DESKTOP_APP_BREAKAWAY_ENABLE_PROCESS_TREE.
PROCESS_CREATION_DESKTOP_APP_BREAKAWAY_OVERRIDE 0x04
The process being created will run inside the desktop app runtime environment. This policy applies only to the process being created, not its descendants..
In order to launch the child process with the same protection level as the parent, the parent process must specify the PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL attribute for the child process. This can be used for both protected and unprotected processes. For example, when this flag is used by an unprotected process, the system will launch a child process at unprotected level. The CREATE_PROTECTED_PROCESS flag must be specified in both cases.
The following example launches a child process with the same protection level as the parent process:
DWORD ProtectionLevel = PROTECTION_LEVEL_SAME;
SIZE_T AttributeListSize;
STARTUPINFOEXW StartupInfoEx = { 0 };
StartupInfoEx.StartupInfo.cb = sizeof(StartupInfoEx);
InitializeProcThreadAttributeList(NULL, 1, 0, &AttributeListSize)
StartupInfoEx.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST) HeapAlloc(
GetProcessHeap(),
0,
AttributeListSize
);
if (InitializeProcThreadAttributeList(StartupInfoEx.lpAttributeList,
1,
0,
&AttributeListSize) == FALSE)
{
Result = GetLastError();
goto exitFunc;
}
if (UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList,
0,
PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL,
&ProtectionLevel,
sizeof(ProtectionLevel),
NULL,
NULL) == FALSE)
{
Result = GetLastError();
goto exitFunc;
}
PROCESS_INFORMATION ProcessInformation = { 0 };
if (CreateProcessW(ApplicationName,
CommandLine,
ProcessAttributes,
ThreadAttributes,
InheritHandles,
EXTENDED_STARTUPINFO_PRESENT | CREATE_PROTECTED_PROCESS,
Environment,
CurrentDirectory,
(LPSTARTUPINFOW)&StartupInfoEx,
&ProcessInformation) == FALSE)
{
Result = GetLastError();
goto exitFunc;
}
Requirement | Value |
---|---|
Minimum supported client | Windows Vista [desktop apps only] |
Minimum supported server | Windows Server 2008 [desktop apps only] |
Target Platform | Windows |
Header | processthreadsapi.h (include Windows.h on Windows 7, Windows Server 2008 Windows Server 2008 R2) |
Library | Kernel32.lib |
DLL | Kernel32.dll |
Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain the competitive edge you need with powerful AI and Cloud solutions by attending Microsoft Ignite online.
Register now