Object Retention – Object Manager

Objects can be temporary or permanent, retention of permanent objects is quite simple, they are not deleted. Temporary objects have two phrases of retention. We should understand that when a process acquires a object, the reference count (handle count + pointer count) is incremented by 1, and when that handle is closed, then the reference count is decremented by 1.

When,  the handle count of an object drops to 0, the Object Manager removes the object’s name from the global namespace, therefore stopping any new processes from opening handles to that object.

Once, the name has been removed, then the object will be only deleted, once the reference count has dropped zero, since kernel processes are able to use object with pointers, hence the reason why there is a pointer count field within the object header data structure.

The reference count is a combination of the pointer reference count and handle reference count. 

We can use the !object extension to view the above mentioned fields.

 The reference count would be 48.

It’s important to remember that objects which are using paged pool, must only be freed when the IRQL Level is below 2, since page faults will be illegal operations, and thus will cause the system to crash.


 

Advertisements

About 0x14c

I'm a Computer Science student and writer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in Windows Internals. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s