How Task Manager displays 16-bit processes

When Microsoft made the shift from 16-bit to 32-bit they had to still include support for the many 16-bit applications. These applications run in real mode whereas 32-bit applications operate in protected mode. As a result, Windows had to run these legacy applications through an emulation layer (a Virtual DOS Machine [VDM]) called NTVDM. NTVDM has shipped with all 32-bit releases of Windows, but is no longer included in 64-bit Windows versions.

When a 16-bit application is launched on 32-bit Windows, NTVDM is used as a proxy application in order to launch the original application. NTVDM provides a complete virtual 8086 mode environment for the 16-bit application to run in. (In fact, all the proxied applications share a dedicated thread in NTVDM.) Since these applications are hosted internally by NTVDM, they only show up in Task Manager if the user has enabled the “Options->Show 16-bit tasks” menu option.

As can be seen in the screenshot below, two 16-bit applications (wowexec.exe and rdo001gl.exe) are hosted by ntvdm.exe on my computer. Wowexec.exe works together with ntvdm.exe to provide a 16-bit environment.

If you use Process Explorer from Sysinternals, these 16-bit processes won’t show up in the process list because they’re not considered “real” processes on a 32-bit operating system. Personally, though, I find it quite useful that I can view all the processes running on my system whether they’re 16-bit or 32-bit. It’s sort of weird if an application’s window is present in the taskbar but a corresponding process cannot be found in the process list.

So, how does Task Manager go about showing these 16-bit processes? It uses something called the Virtual DOS Manager Debug library (VDMDBG) (part of the Windows SDK), which lets you access 16-bit process information on a 32-bit operating system. For instance, VDMDBG lets you enumerate all VDMs currently running 16-bit processes (or tasks, as they’re referred to internally), or all the tasks running in a particular VDM.

Two functions are central in updating the process list view in taskmgr.exe: CProcPage::UpdateProcInfoArray and CProcPage::UpdateProcListview. The first function obtains a listing of all the processes currently running on the system by calling ntdll!ZwQuerySystemInformation and steps through each one and adds it to an internal array. The function also extracts various information about the process (image name, CPU time, etc.) and calls CProcInfo::SetData to set it internally. CProcPage::UpdateProcListview, on the other hand, is responsible for updating the GUI by tapping into the aforementioned internal process info array.

The CProcInfo::SetData function is particularly interesting because it checks to see if the current process is ntvdm.exe:

push    offset aNtvdm_exe ; "ntvdm.exe"
push    eax             ; wchar_t *
call    ds:__imp___wcsicmp
test    eax, eax
pop     ecx
pop     ecx
jnz     loc_100CA37

If it is, CProcInfo::SetData calls VDMDBG!VDMEnumTaskWOWEx to obtain information about the 16-bit processes currently being hosted by ntvdm.exe. The second parameter to the function is a pointer to a callback function, which is set to CProcPage::WowTaskCallback.

In the screenshot above of Task Manager, ntvdm.exe hosted two 16-bit applications, wowexec.exe and rdo001gl.exe. On my computer, we therefore expect CProcPage::WowTaskCallback to be called twice, once for each task. To verify, we can set a breakpoint in the function and take a look at the fourth and fifth parameters passed to it:

0:000> da poi(ebp+14)
001ae6f8  "RDO001GL"
0:000> da poi(ebp+18)
001ae701  "C:\PROGRA~1\BC31\BOOK\RDO001GL.E"
001ae721  "XE"

CProcPage::WowTaskCallback calls CProcPage::SetDataWowTask to obtain information about the process, and to add it to the internal process info array alongside the 32-bit processes. However, to disinguish the two types of processes (16-bit and 32-bit), Task Manager displays the 16-bit processes as sub-processes of the ntvdm.exe process by indenting them in the process list.

That’s all there is to it.