(no title)

A truly fast and documented solution is using PssCaptureSnapshot, it can enumerate only threads of the target process. It uses NtGetNextThread under the hood. The downside: it's only available from Windows 8.1.

Using NtGetNextThread is not only fast and available from Windows Vista, it also allows avoiding race conditions - what happens if a new thread is created after the snapshot is created? A snapshot returns thread ids, what happens if one of the threads is destroyed? What happens if the thread id is reused (unlikely but possible)? I believe all the benefits I'm getting by using NtGetNextThread are worth using an undocumented function.

See also the research that I linked in the blog post: https://github.com/diversenok/Suspending-Techniques#snapshot...