The PsSetCreateProcessNotifyRoutineEx routine registers or removes a callback routine that notifies the caller when a process is created or exits.
NTKERNELAPI NTSTATUS PsSetCreateProcessNotifyRoutineEx( PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine, BOOLEAN Remove );
A pointer to the PCREATE_PROCESS_NOTIFY_ROUTINE_EX routine to register or remove. The operating system calls this routine whenever a new process is created.
A Boolean value that specifies whether PsSetCreateProcessNotifyRoutineEx will add or remove a specified routine from the list of callback routines. If this parameter is TRUE, the specified routine is removed from the list of callback routines. If this parameter is FALSE, the specified routine is added to the list of callback routines. If Remove is TRUE, the system also waits for all in-flight callback routines to complete before returning.
PsSetCreateProcessNotifyRoutineEx returns one of the following NTSTATUS values:
||The specified routine is now registered with the operating system. The operating system calls this routine whenever a new process is created.|
||The specified routine was already registered, or the operating system has reached its limit for registering process-creation callback routines.|
||The image that contains the callback routine pointer did not have IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY set in its image header.|
Highest-level drivers can call PsSetCreateProcessNotifyRoutineEx to register a PCREATE_PROCESS_NOTIFY_ROUTINE_EX routine. An installable file system (IFS) or highest-level system-profiling driver might register a process-creation callback routine to track which processes are created and deleted against the driver's internal state across the system.
A driver must remove any callback routines that it registers before it unloads. You can remove the callback routine by calling PsSetCreateProcessNotifyRoutineEx with Remove set to TRUE.
The operating system calls the driver's process-notify routine at PASSIVE_LEVEL inside a critical region with normal kernel APCs disabled. When a process is created, the process-notify routine runs in the context of the thread that created the new process. When a process is deleted, the process-notify routine runs in the context of the last thread to exit from the process.
|Windows version||Available starting with Windows Vista with SP1 and Windows Server 2008.|
|Header||ntddk.h (include Ntddk.h)|
|DDI compliance rules||PowerIrpDDis, HwStorPortProhibitedDDIs|