[Windows] Cannot resume process suspended by another program

[ogurets]

If an app like Process Explorer suspends the process, psutil cannot resume it because it operates on threads.
I've rewritten psutil_proc_suspend_or_resume routine using ntdll functions as it is the only method I found for my WinXP OS. And I guess the guys from SysInternals are doing it the same way.

The patch is here - ogurets@9e81231
Anyone willing to test it out on Windows 7, 8 or 10?

[giampaolo]

Mmm... interesting. Some questions / considerations:

1. What do you mean by "psutil cannot resume processes"? What happens when you do it (error?)?
2. NtSuspendProcess and NtResumeProcess are not documented hence unofficial - not sure how big of a problem this actually is.
3. It seems there are at least 3 methods to achieve process suspend/resume. See here and here. These 2 links point out the risks of using the current method based on thread suspension/resumption (which I wasn't aware of). As such it could be desirable to change it. Point is figuring out what's the better method to use amongst those 3
4. how are you using psutil on Windows XP? What version is it? Last thing I knew about Windows XP support in psutil was that the binary wheels didn't work (because are compiled on Windows 7) but compiling from sources did. I recently committed some code (PR #(Windows) use PROCESS_QUERY_LIMITED_INFORMATION access rights #1376) which should definitively break win XP support but perhaps I may consider adding a workaround if psutil still (kind of) works on Win XP.

[ogurets]

1. The process stays suspended without any errors. Looks like the process has it's own "pause" flag, which overrides the threads' flags. I.e. if the process is "suspended", but threads are "running", nothing is actually running.
   Suppose we have a busy process with 4 threads, consuming 100% of a 4-core CPU. It's started by conventional means and is running freely. Then:

   • Process suspended with Process Explorer (CPU usage 100%->0%), resumed with psutil - nothing happens (CPU usage 0%).
   • Suspended with psutil (CPU usage 100%->0%), resumed with psutil (usage 0%->100%).
   • Not sure what happens if suspended with psutil and resumed with Process Explorer. I vaguely remember that it still works.

2. Oh yes, thought about that too.
   However one strong reason is - SysInternals use them in their product. I really respect these guys and suppose they know what they were doing.
   And another reason would be the confirmed support of these functions in all Windows versions from XP and higher. Would mean that these undocumented routines are actually more persistent and compatible than a lot of their documented counterparts, which became obsolete and unsupported already.

3. I would reject "debug" method right away because:

   1. Some (if not many) programs utilize anti-debugging techniques, which would become angry and most likely immediately crash.
   2. We wouldn't be able to resume programs suspended by other methods.
   3. Debugging requires considerably higher privilege level, which is not always available.

   Which leaves us with threads, ntdll API and a mixed approach of using ntdll functions when they're available and threading API otherwise.

4. I've built 5.4.8 from sources with MSVC 2010. Surprisingly easy build. Didn't even have to patch or configure anything.
   Tried master branch, it builds too! #if (_WIN32_WINNT >= 0x0600) clause does it's job. Some of your contributors are probably using WinXP too, such portability is hard to achieve blindly.

[giampaolo]

OK, then it seems it make sense to implement it by using NtSuspendProcess and NtResumeProcess. Could you make a PR?

As for Win XP, I thought #1376 broke support because PROCESS_QUERY_LIMITED_INFORMATION is supposed to be Win Vista+ only, but you say you can compile from master so I guess that's fine (we still have XP support for the tar.gz tarball).