The PsSetCreateThreadNotifyRoutineEx routine registers a driver-supplied callback that is subsequently notified when a new thread is created and when such a thread is deleted.
NTKERNELAPI NTSTATUS PsSetCreateThreadNotifyRoutineEx( PSCREATETHREADNOTIFYTYPE NotifyType, PVOID NotifyInformation );
A PSCREATETHREADNOTIFYTYPE value that indicates the type of thread notification.
Provides the address of the notification information for the specified type of thread notification.
PsSetCreateThreadNotifyRoutineEx either returns STATUS_SUCCESS or it returns STATUS_INSUFFICIENT_RESOURCES if it failed the callback registration.
Highest-level drivers can call PsSetCreateThreadNotifyRoutineEx to set up their thread-creation notify routines.
For example, an IFS or highest-level system-profiling driver might register such a thread-creation callback to track the system-wide creation and deletion of threads against the driver's internal state.
If NotifyType is PsCreateThreadNotifyNonSystem, the PsSetCreateThreadNotifyRoutineEx routine differs from PsSetCreateThreadNotifyRoutine in the context in which the callback is executed. With PsSetCreateThreadNotifyRoutine, the callback is executed on the creator thread. With PsSetCreateThreadNotifyRoutineEx, the callback is executed on the newly created thread.
A driver must remove any callback function it registers before it unloads. You can remove the callback by calling the PsRemoveCreateThreadNotifyRoutine routine.
|Windows version||Available starting with Windows 10.|
|Header||ntddk.h (include Ntddk.h)|