The PsSetCreateProcessNotifyRoutineEx2 routine registers or removes a callback routine that notifies the caller when a process is created or deleted.
NTKERNELAPI NTSTATUS PsSetCreateProcessNotifyRoutineEx2( PSCREATEPROCESSNOTIFYTYPE NotifyType, PVOID NotifyInformation, BOOLEAN Remove );
A PSCREATEPROCESSNOTIFYTYPE-type value that indicates the type of process notification.
The address of the notification information for the specified type of process notification. If NotifyType is PsCreateProcessNotifySubsystems, NotifyInformation is a PCREATE_PROCESS_NOTIFY_ROUTINE_EX that specifies the entry point of the caller-supplied process-creation callback.
A Boolean value that specifies whether PsSetCreateProcessNotifyRoutineEx2 will add or remove a specified routine from the list of callback routines. If this parameter is TRUE, the specified routine is removed from the list of callback routines. If this parameter is FALSE, the specified routine is added to the list of callback routines. If Remove is TRUE, the system also waits for all in-flight callback routines to complete before returning.
PsSetCreateProcessNotifyRoutineEx2 returns one of the following NTSTATUS values:
||The specified routine is now registered with the operating system. The operating system calls this routine whenever a new process is created.|
||The specified routine was already registered, or the operating system has reached its limit for registering process-creation callback routines. NotifyType is not PsCreateProcessNotifySubsystems.|
||The image that contains the callback routine pointer did not have IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY set in its image header.|
Drivers can call PsSetCreateProcessNotifyRoutineEx2 to register their process-creation notify routines.
After a driver-supplied routine is registered, it is called with the unique ID (indicated by ProcessId) of the created or deleted process. The ParentId identifies the parent process of the new process (this is the parent used for priority, affinity, quota, token, and handle inheritance, among others) if it was created with the inherit handles option. If it was created without the inherit handle options, then the parent process ID is NULL.
If the Create value is TRUE, the subsystem process was created; FALSE indicates the process was deleted.
When the process is created, the callback function is invoked just after the first thread in the process has been created. Conversely, for deletion, the function is invoked after the last thread in the process has terminated and the address space is about to be deleted. It is possible that the callback is only invoked for deletion without getting a creation call in cases where the process was created and deleted without a thread ever being created.
A driver must remove any callback function that it registers before it unloads. You can remove the callback by calling PsSetCreateProcessNotifyRoutineEx2 with Remove = TRUE.
|Windows version||Windows 10, version 1703 Windows Server 2016|
|Header||ntddk.h (include Ntddk.h)|
|DDI compliance rules||PowerIrpDDis, HwStorPortProhibitedDDIs|