Windows Driver Kit: Kernel-Mode Driver Architecture
PsSetCreateProcessNotifyRoutineEx
The PsSetCreateProcessNotifyRoutineEx routine registers or removes a callback routine that notifies the caller when a process is created or exits.
NTSTATUS
PsSetCreateProcessNotifyRoutineEx(
IN PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
IN BOOLEAN Remove
);
Parameters
- NotifyRoutine
- A pointer to the CreateProcessNotifyEx routine to register or remove. The operating system calls this routine whenever a new process is created.
- Remove
- A Boolean value that specifies whether PsSetCreateProcessNotifyRoutineEx will add or remove a specified routine from the list of callback routines. If this parameter is TRUE, the specified routine is removed from the list of callback routines. If this parameter is FALSE, the specified routine is added to the list of callback routines. If Remove is TRUE, the system also waits for all in-flight callback routines to complete before returning.
Return Value
PsSetCreateProcessNotifyRoutineEx returns one of the following NTSTATUS values:
- STATUS_SUCCESS
- The specified CreateProcessNotifyEx routine is now registered with the operating system. The operating system calls this routine whenever a new process is created.
- STATUS_INVALID_PARAMETER
- The specified CreateProcessNotifyEx routine was already registered, or the operating system has reached its limit for registering process-creation callback routines.
- STATUS_ACCESS_DENIED
- The image that contains the callback routine pointer did not have IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY set in its image header.
Comments
Highest-level drivers can call PsSetCreateProcessNotifyRoutineEx to register a CreateProcessNotifyEx routine. An installable file system (IFS) or highest-level system-profiling driver might register a process-creation callback routine to track which processes are created and deleted against the driver’s internal state across the system.
A driver must remove any callback routines that it registers before it unloads. You can remove the callback routine by calling PsSetCreateProcessNotifyRoutineEx with Remove set to TRUE.
The driver's process-notify routine runs at IRQL = PASSIVE_LEVEL. When a process is created, the process-notify routine runs in the context of the thread that created the new process. When a process is deleted, the process-notify routine runs in the context of the last thread to exit from the process.
Requirements
Versions: Available in Windows Vista with Service Pack 1 (SP1), Windows Server 2008, and later versions of the Windows operating system.
IRQL: PASSIVE_LEVEL
Headers: Declared in Ntddk.h. Include Ntddk.h.
See Also
CreateProcessNotifyEx, PS_CREATE_NOTIFY_INFO, PsSetCreateProcessNotifyRoutine