Thread Start Address RRS feed

  • Question

  • I notice that Process Explorer's Thread window contains a "Start Addres" column.  I've tried to calculate this with my own win32 code.  Found several articles that reference info available through performance counters.  I've found that Process Explorer's Thread window reports different addresses than those stored in the Thread perf counter titled "Start Address" which seems to always be in kernel32 DLL. 

    Can someone explain what Process Exporer is doing differently to give the real (and useful) start address?

    Wednesday, October 26, 2005 7:20 AM

All replies

  • For threads created by the Windows CreateThread function, Process Explorer displays the function passed to CreateThread, not the actual thread start function. That is because all Windows threads start at a common thread startup wrapper function (RtlUserThreadStart in Ntdll.dll). If Process Explorer showed the actual start address, most threads in processes would appear to have started at the same address, which would not be helpful in trying to understand what code the thread was executing. However, if Process Explorer can’t query the user-defined startup address (such as in the case of a protected process), it will show the wrapper function, so you will see all threads starting at RtlUserThreadStart.
    Thursday, May 16, 2019 3:52 PM