<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
line-height:115%;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi all,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>About a month ago I've made a question in the ML regarding the contents of the CR3 register and how the value of this register change when different processes/threads are executed.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>One of the conclusions of the conversation we had was that when kernel threads are executed, the CR3 register keeps the value of the process under which the kernel thread is executed (which is the previously executed process). That is, the kernel thread “borrows” the page-table of the previously executed process for executing.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The problem is that by looking *only* at the CR3 register, we can’t really tell if the user process in which the CR3 value corresponds to (each process is assigned a unique PGD value which results to a unique CR3 value) *or* a kernel-thread that uses its tables is executing.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I was wondering if any other CPU register (apart from CR3) can indicate if a user-process or a kernel thread under it (and which one) is executed. Is it possible to know such a thing *only* by looking at CPU registers?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I'll be happy to clarify any of the above.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thank you all in advance.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>John K.<o:p></o:p></p></div></body></html>