1

I'm digging around in my process's PEB and I came across the so-called ConsoleHandle HANDLE in the nested RTL_USER_PROCESS_PARAMETERS struct. So far, I've compared this HANDLE to the standard input, output, and error HANDLEs and the console HWND. It matches none of them and I'm at a loss for what this HANDLE is or represents.

I've also stumbled upon the fact that all these handles (minus the HWND) point to \Devices\ConDrv, so I'm also befuddled as to why CompareObjectHandles() only returns true for the pair of stdout and stderr. This makes intuitive sense from my normal understanding but now that I've found out about \Devices\ConDrv being the true backing kernel object for all these HANDLEs, I'm left wondering why this function doesn't return true in more cases.

  1. What is this unknown ConsoleHandle HANDLE? Is it the default console screen buffer? In particular, what functions can be called with this HANDLE as a parameter?
  2. If stdin, stdout, stderr, and this unknown ConsoleHandle HANDLE are all backed by \Devices\ConDrv, how come CompareObjectHandles() doesn't return true for any pairing of them? Any insight from kernel-land would be appreciated.
Sir Random
  • 333
  • 3
  • 7
  • 1
    Have you read this: [Console Handles](https://learn.microsoft.com/en-us/windows/console/console-handles) – paddy Mar 24 '22 at 04:11
  • 1
    Does this answer your question? [What is a Windows Handle?](https://stackoverflow.com/questions/902967/what-is-a-windows-handle) – 273K Mar 24 '22 at 04:13
  • I've just now parsed over the links attached. The unknown handle could possibly be the screen buffer itself as implied by the "Console Handles" link (although I seem to remember the console's stdout handle also working in the call to `SetConsoleActiveScreenBuffer`...). What interests me about this unknown HANDLE is that it's given in the process's PEB, so it has to have some notable significance, right? (especially with a name like `ConsoleHandle`) – Sir Random Mar 24 '22 at 04:24
  • 2
    The docs for [AllocConsole](https://learn.microsoft.com/en-us/windows/console/allocconsole) say "A process can be associated with only one console" - so I would say that when AllocConsole is called, a handle representing that console is stored in the PEB. – Jonathan Potter Mar 24 '22 at 04:31
  • 1
    @JonathanPotter, good point, I'm going to see if I can engineer a test to check this case. Going to be kinda silly since I'll need access to three processes' PEBs to sufficiently check (unless I'm overthinking this). – Sir Random Mar 24 '22 at 04:35
  • 1
    @JonathanPotter it seems you've got the right of it. Manipulating the *console* itself with `FreeConsole` and `AllocConsole` update that value in the PEB. Unfortunately this means there shouldn't be any functions to call with this HANDLE as none of those functions let you pass a *console* HANDLE, only a PID. Very cool! – Sir Random Mar 24 '22 at 04:49
  • 1
    What are you actually trying to do with this handle? – David Heffernan Mar 24 '22 at 06:23
  • I know this is a bit late but I just wanted to know what the handle referred to. I like peeking into the PEB from time to time and the particular moment had me wondering what `ConsoleHandle` was. *shrug – Sir Random Jun 10 '23 at 12:47

0 Answers0