PsSetCreateProcessNotifyRoutineEx function (ntddk.h)

The PsSetCreateProcessNotifyRoutineEx routine registers or removes a callback routine that notifies the caller when a process is created or exits.

Syntax

NTSTATUS PsSetCreateProcessNotifyRoutineEx(
  [in] PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
  [in] BOOLEAN                           Remove
);

Parameters

[in] NotifyRoutine

A pointer to the PCREATE_PROCESS_NOTIFY_ROUTINE_EX routine to register or remove. The operating system calls this routine whenever a new process is created.

[in] Remove

A Boolean value that specifies whether PsSetCreateProcessNotifyRoutineEx will add or remove a specified routine from the list of callback routines. If this parameter is TRUE, the specified routine is removed from the list of callback routines. If this parameter is FALSE, the specified routine is added to the list of callback routines. If Remove is TRUE, the system also waits for all in-flight callback routines to complete before returning.

Return value

PsSetCreateProcessNotifyRoutineEx returns one of the following NTSTATUS values:

Return code Description
STATUS_SUCCESS
The specified routine is now registered with the operating system. The operating system calls this routine whenever a new process is created.
STATUS_INVALID_PARAMETER
The specified routine was already registered, or the operating system has reached its limit for registering process-creation callback routines.
STATUS_ACCESS_DENIED
The image that contains the callback routine pointer did not have IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY set in its image header.

Remarks

Highest-level drivers can call PsSetCreateProcessNotifyRoutineEx to register a PCREATE_PROCESS_NOTIFY_ROUTINE_EX routine. An installable file system (IFS) or highest-level system-profiling driver might register a process-creation callback routine to track which processes are created and deleted against the driver's internal state across the system.

A driver must remove any callback routines that it registers before it unloads. You can remove the callback routine by calling PsSetCreateProcessNotifyRoutineEx with Remove set to TRUE. A driver must not make this call from its implementation of the PCREATE_PROCESS_NOTIFY_ROUTINE_EX callback routine.

The operating system calls the driver's process-notify routine at PASSIVE_LEVEL inside a critical region with normal kernel APCs disabled. When a process is created, the process-notify routine runs in the context of the thread that created the new process. When a process is deleted, the process-notify routine runs in the context of the last thread to exit from the process.

Requirements

Requirement Value
Minimum supported client Available starting with Windows Vista with SP1 and Windows Server 2008.
Target Platform Universal
Header ntddk.h (include Ntddk.h)
Library NtosKrnl.lib
DLL NtosKrnl.exe
IRQL PASSIVE_LEVEL
DDI compliance rules HwStorPortProhibitedDDIs(storport), PowerIrpDDis(wdm)

See also

PCREATE_PROCESS_NOTIFY_ROUTINE_EX

PS_CREATE_NOTIFY_INFO

PsSetCreateProcessNotifyRoutine