问题
Using Win32 API it is only possible to suspend a single thread using SuspendThread() but not a complete process in one call.
Iterating over a process threads and suspending them one at a time is not a good option since it may cause dead-locks and unexpected behavior.
This is supposed to be something that is possible in kernel using a function from the DDK (which I don't remember its name).
How is it possible to expose this function to user mode?
Is there any other way to achieve this without going to the kernel?
SysInternals process explorer has an option to suspend process. How does it do it?
回答1:
Undocumented function NtSuspendProcess in ntdll.dll sounds like what you are looking for. Sysinternals pssuspend and process explorer both make use of this.
The usual caveats about undocumented functions apply.
This answer has some more details: How can I freeze the execution of a program?
回答2:
Actually thats exactly what MiniDumpWriteDump appears to do - it individually suspends all threads in the process (except for the calling thread) before it creates a dump.
This alone shouldn't cause a deadlock or unexpected behaviour, although obviously its probably best to do this from a separate process.
来源:https://stackoverflow.com/questions/7242384/windows-atomically-suspend-an-entire-process