When a process is created in Windows (or Unix for that matter) it has a system wide unique identifier called Process ID (PID). The same thing happens for each and every thread in the system. Each thread ends up with a system wide unique identifier referred to as Thread ID (TID). PID/TIDs come from the same pool of identifiers in Windows. In other words once a number is used as PID of a process, the same number cannot be used as TID of another thread and vice versa.

In 32 bit platforms PID/TIDs are 32-bit numbers and in 64-bit they are 64-bit numbers and should be treated as such. When we launch Task Manager or Process Explorer on a typical system, we rarely see huge numbers for PID/TIDs even on servers that have been up for months together. So how does one can create high PID/TID process/thread on a system ? Another related question was just how does the system pick the next PID/TID and when does it reuse a PID (ie. reassign the PID of a dead process to a new process) ? Historically there have been exploits of predictable PID/TID picking in Windows.

So HighPid was born. HighPid can generate a high (more than 2^16 or 65535) PID and/or TID command shell (cmd.exe) or an executable of your choice. Here is a dump of all the options it supports.

HighPid Options

The logic HighPid uses is pretty simple. It launches the specified app or cmd.exe (by calling Win32 API CreateProcess) in a loop and leaks the process and thread handles returned intentionally. This forces the system into a smaller and smaller pool of PID/TIDs to assign to new processes/threads on the system thereby leading to high PIDs.

When the /h option is specified HighPid creates the launched process with the leaked process and thread handles and therefore makes the system use high PIDs as long as the launched process is active. Once the launched process is closed, system enumerates all open handles in the process (including the leaked process and thread handles) and closes them. Then all the PID/TIDs claimed are effectively free to be potentially reused by the system.

The last 2 bits of PID/TIDs are always zero making them divisible by 4. PID 0 has always been the pseudo idle process (the process that is "running" when no other process is). PID 4/8 is the System process which hosts all kernel mode only threads. So on a 32 bit Vista system, there are 2^30-1 or 1,073,741,823 possible IDs for user mode processes and threads. That is a whole lot of IDs and the system is going to surely hit hardware limitations before it gets there.  To retain system stability after HighPid runs, the line was drawn at 16-bits.

If one runs HighPid (with modifications) to look for 24 bit highs, the system may not recover unless HighPid is interrupted by a control+C or taskkill.  CreateProcess may start to fail with ERROR_NO_SYSTEM_RESOURCES (Error 1450). Understandably HighPid would perhaps need a different design to get to those ranges. It would be an interesting challenge for sure.

PS: I have seen HighPid causing PIDs in excess of 300000 with HDD thrashing like crazy. Your mileage may vary.

Share →

9 Responses to HighPid – A Tool To Generate High Process And Thread IDs

  1. […] I blogged about HighPid, a tool to generate high PID (process id) and TID (thread id). Although this tool […]

  2. Tap Networker says:

    Hello Satya and all
    -> Great Tool!

    I’d like to use it on XP and Windows Server 2003 for some strange undefined corba behaviour.

    However I can’t use the /g opton of Highpid V2.0
    eg. I’d like to force a pid higher 16000 -> /g 0x3E80 or 3E80 or 0x3e80 or 3e80 doesn’t work.

    I’am always getting the following Message: Create Thread failed with error 8. Handels leaked 2018 Maximum ID claimed 12824

    Event I I try a lower pid with /g option Dez 5000 -> Hex 1388 I get the same Error, just the Maximum ID changes.

    Would be great to get any solution or an example of the syntax if it’s not depending on XP or Windows 2003.

    Thanks You and Regards,
    Tap

  3. Satya Das says:

    Hi Tap –

    Error 8 means “Not enough storage is available to process this command”. That means most probably the machine is running out of resources before it hits pid 16000+.

    I think you should increase RAM, free hard disk space, increase page file size and minimize number of applications running on the machine by shutting down apps (especially resource intensive ones like SQL Server) that do not pertain to your run directly and then try running highpid again.

    Is this a real machine or VM ? If it is a VM, I would recommend switching to a real machine instead, if you can.

    Let me know how that goes.

  4. Tap Networker says:

    Hi Satya,

    I get this problem only with the option /g, that why I believe I’am wrong with the Syntax or it’s on XP/W2K3

    I have tested this behaviour on the following Systems:
    – Notebook (1CPU, 1GB, XP-Prof, view apps running)
    – PC (1CPU, 4GB, XP-Prof, view apps running)
    – PC (1DualCore, 4GB, XP-Prof, view apps running)
    – Severall Servers (4Dualcore Xeon,16 GB, Win2003, view apps running)

    Hope You have any idea or maybe a Debug-Version?

    Greetings from Germany
    Tap

  5. Satya Das says:

    Could you try with the latest (2.1) ? Let me know if you see issues still.

  6. Hugh Moran says:

    Fascinating, there is very little published information about this subject. Knowing the kinds of limits that are likely and why, is very helpful (for example we do stuff that involves hashing TIDs for example) as was the little gem about the last two bits always being zero, all very useful for certain special algorithms.

    Thanks for a fascinating post.

  7. Tommy Schouw Rasmussen says:

    Hmm, i can’t get it to spawn PIDs over 10k, don’t think it’s a raw ressource issue, since it’s failing on a dual quad core blade server with 4gb of memory and nothing running.

    You still working on this little gem, or did you leave it behind?

  8. Satya Das says:

    Tommy – It has not been left behind. What error code if any shows up in the output ? What OS are you running ? 64 bit ? any third party apps installed like antivirus ?

  9. WndSks says:

    For anyone still supporting Win9x(!), it should be noted that the pid can be any 32 bit value (Its one half of the dirty xor tricks)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Looking for something?

Use the form below to search the site:


Still not finding what you're looking for? Drop us a note so we can take care of it!

Visit our friends!

A few highly recommended friends...

Set your Twitter account name in your settings to use the TwitterBar Section.