Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Microsoft Developer Network
Click to Rate and Give Feedback
MSDN
MSDN Library
Windows Driver Kit
Reference
 PsSetCreateProcessNotifyRoutineEx

  Switch on low bandwidth view
Windows Driver Kit: Kernel-Mode Driver Architecture
PsSetCreateProcessNotifyRoutineEx
[This is preliminary documentation and subject to change.]

The PsSetCreateProcessNotifyRoutineEx routine registers or removes a callback routine that notifies the caller when a process is created or exits.

NTSTATUS
  PsSetCreateProcessNotifyRoutineEx(
    IN PCREATE_PROCESS_NOTIFY_ROUTINE_EX  NotifyRoutine,
    IN BOOLEAN  Remove
    );

Parameters

NotifyRoutine
A pointer to the CreateProcessNotifyEx routine to register or remove. The operating system calls this routine whenever a new process is created.
Remove
A Boolean value that specifies whether PsSetCreateProcessNotifyRoutineEx will add or remove a specified routine from the list of callback routines. If this parameter is TRUE, the specified routine is removed from the list of callback routines. If this parameter is FALSE, the specified routine is added to the list of callback routines. If Remove is TRUE, the system also waits for all in-flight callback routines to complete before returning.

Return Value

PsSetCreateProcessNotifyRoutineEx returns one of the following NTSTATUS values:

STATUS_SUCCESS
The specified CreateProcessNotifyEx routine is now registered with the operating system. The operating system calls this routine whenever a new process is created.
STATUS_INVALID_PARAMETER
The specified CreateProcessNotifyEx routine was already registered, or the operating system has reached its limit for registering process-creation callback routines.
STATUS_ACCESS_DENIED
The image that contains the callback routine pointer did not have IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY set in its image header.

Comments

Highest-level drivers can call PsSetCreateProcessNotifyRoutineEx to register a CreateProcessNotifyEx routine. An installable file system (IFS) or highest-level system-profiling driver might register a process-creation callback routine to track which processes are created and deleted against the driver’s internal state across the system.

A driver must remove any callback routines that it registers before it unloads. You can remove the callback routine by calling PsSetCreateProcessNotifyRoutineEx with Remove set to TRUE.

Requirements

Versions: Available in Windows Vista with Service Pack 1 (SP1), Windows Server 2008, and later versions of the Windows operating system.

IRQL: PASSIVE_LEVEL

Headers: Declared in Ntddk.h. Include Ntddk.h.

See Also

CreateProcessNotifyEx, PS_CREATE_NOTIFY_INFO, PsSetCreateProcessNotifyRoutine


Send feedback on this topic
Built on May 20, 2009
Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Page view tracker