CreateProcessNotifyEx routine

The CreateProcessNotifyEx routine notifies a driver when a process is created or exits.

Syntax


VOID CreateProcessNotifyEx(
  _Inout_  PEPROCESS              Process,
  _In_     HANDLE                 ProcessId,
  _In_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo
);

Parameters

Process [in, out]

A pointer to the EPROCESS structure for the process.

ProcessId [in]

The process ID of the process.

CreateInfo [in, optional]

If this parameter is non-NULL, a new process is being created, and CreateInfo points to a PS_CREATE_NOTIFY_INFO structure that describes the new process. If this parameter is NULL, the specified process is exiting.

Return value

None

Remarks

A driver registers its CreateProcessNotifyEx routine by calling the PsSetCreateProcessNotifyRoutineEx routine.

For a new process, the CreateProcessNotifyEx routine is called after the initial thread is created, but before the thread begins running. The driver can cause the process-creation operation to fail by changing the CreateInfo->CreationStatus member to an NTSTATUS error code.

When the process exits, the CreateProcessNotifyEx routine is called just before the last thread to exit the process is destroyed.

The PS_CREATE_NOTIFY_INFO structure and the structures that it points to are guaranteed to be valid only for the duration of the callback. If the driver requires access to any information from these structures after the callback, the CreateProcessNotifyEx routine should make a copy of this information.

CreateProcessNotifyEx runs at IRQL = PASSIVE_LEVEL. During process creation, the routine runs in the context of the thread that created the new process. During process deletion, the routine runs in the context of the last exiting thread.

Note  

Process notifications are not sent for processes that are cloned.

 

Requirements

Target platform

Version

Available starting with Windows Server 2008 and Windows Vista with SP1.

Header

Ntddk.h (include Ntddk.h or Ntifs.h)

IRQL

Called at PASSIVE_LEVEL (see Remarks section).

See also

PS_CREATE_NOTIFY_INFO
PsSetCreateProcessNotifyRoutineEx

 

 

Send comments about this topic to Microsoft

Show: