Handle kernel processes properly this time

atcuno · atcuno · commit 444305afc2cb · 2025-03-26T00:55:48.000Z
diff --git a/volatility3/framework/plugins/windows/thrdscan.py b/volatility3/framework/plugins/windows/thrdscan.py
@@ -110,13 +110,12 @@ def gather_thread_info(
             vollog.debug(f"Thread invalid address {ethread.vol.offset:#x}")
             return None
 
-        if owner_proc_pid == 4 or owner_proc.InheritedFromUniqueProcessId == 4:
-            vollog.debug(
-                f"Skipping kernel process with pid {owner_proc.InheritedFromUniqueProcessId}"
-            )
-            return None
-
-        if vads_cache is not None:
+        # don't look for VADs in kernel threads, just let them get reported with empty paths
+        if (
+            owner_proc_pid != 4
+            and owner_proc.InheritedFromUniqueProcessId != 4
+            and vads_cache is not None
+        ):
             vads = pe_symbols.PESymbols.get_vads_for_process_cache(
                 vads_cache, owner_proc
             )
