Process and Thread Manager Routines

References for the PsXxx routines are in alphabetical order.

In this section

TopicDescription

PsCreateSystemThread

The PsCreateSystemThread routine creates a system thread that executes in kernel mode and returns a handle for the thread.

PsGetCurrentProcess

The PsGetCurrentProcess routine returns a pointer to the process of the current thread.

PsGetCurrentProcessId

The PsGetCurrentProcessId routine identifies the current thread's process.

PsGetCurrentThread

The PsGetCurrentThread routine identifies the current thread.

PsGetCurrentThreadId

The PsGetCurrentThreadId routine identifies the current thread.

PsGetCurrentThreadTeb

The PsGetCurrentThreadTeb routine returns the Thread Environment Block (TEB) of the current thread. The call must be made in kernel-mode.

PsGetProcessCreateTimeQuadPart

The PsGetProcessCreateTimeQuadPart routine returns a LONGLONG value that represents the time at which the process was created.

PsGetProcessId

The PsGetProcessId routine returns the process identifier (process ID) that is associated with a specified process.

PsGetVersion

This function is obsolete in Windows XP and later versions of the Windows operating system. Use RtlGetVersion instead.

PsGetVersion returns caller-selected information about the current version of the NT-based operating system.

PsIsSystemThread

The PsIsSystemThread routine checks whether a given thread is a system thread.

PsQueryTotalCycleTimeProcess

The PsQueryTotalCycleTimeProcess routine returns the accumulated cycle time for the specified process.

PsRemoveCreateThreadNotifyRoutine

The PsRemoveCreateThreadNotifyRoutine routine removes a callback routine that was registered by the PsSetCreateThreadNotifyRoutine routine.

PsRemoveLoadImageNotifyRoutine

The PsRemoveLoadImageNotifyRoutine routine removes a callback routine that was registered by the PsSetLoadImageNotifyRoutine routine.

PCREATE_PROCESS_NOTIFY_ROUTINE

Process-creation callback implemented by a driver to track the system-wide creation and deletion of processes against the driver's internal state.

PsSetCreateProcessNotifyRoutine

The PsSetCreateProcessNotifyRoutine routine adds a driver-supplied callback routine to, or removes it from, a list of routines to be called whenever a process is created or deleted.

PCREATE_PROCESS_NOTIFY_ROUTINE_EX

A callback routine implemented by a driver to notify the caller when a process is created or exits.

PsSetCreateProcessNotifyRoutineEx

The PsSetCreateProcessNotifyRoutineEx routine registers or removes a callback routine that notifies the caller when a process is created or exits.

PsSetCreateProcessNotifyRoutineEx2

The PsSetCreateProcessNotifyRoutineEx2 routine registers or removes a callback routine that notifies the caller when a process is created or deleted.

PCREATE_THREAD_NOTIFY_ROUTINE

A callback routine implemented by a driver to notify the caller when a thread is created or deleted.

PsSetCreateThreadNotifyRoutine

The PsSetCreateThreadNotifyRoutine routine registers a driver-supplied callback that is subsequently notified when a new thread is created and when such a thread is deleted.

PsSetCreateThreadNotifyRoutineEx

The PsSetCreateThreadNotifyRoutineEx routine registers a driver-supplied callback that is subsequently notified when a new thread is created and when such a thread is deleted.

PLOAD_IMAGE_NOTIFY_ROUTINE

Called by the operating system to notify the driver when a driver image or a user image (for example, a DLL or EXE) is mapped into virtual memory.

PsSetLoadImageNotifyRoutine

The PsSetLoadImageNotifyRoutine routine registers a driver-supplied callback that is subsequently notified whenever an image is loaded (or mapped into memory).

PsTerminateSystemThread

The PsTerminateSystemThread routine terminates the current system thread.

 

For an overview of the functionality of these routines, see Summary of Kernel-Mode Support Routines.

An additional set of process structure routines is available to file system drivers.

Best practices for implementing process and thread-related callback functions

This set of guidelines applies to these callback routines:

  • Keep notify routines short and simple.
  • Do not make calls into a user mode service to validate the process, thread, or image.
  • Do not make registry calls.
  • Do not make blocking and/or Interprocess Communication (IPC) function calls.
  • Do not synchronize with other threads because it can lead to reentrancy deadlocks.
  • Use System Worker Threads to queue work especially work involving:

    • Slow API’s or API’s that call into other process.
    • Any blocking behavior which could interrupt threads in core services.
  • Be considerate of best practices for kernel mode stack usage. For examples, see How do I keep my driver from running out of kernel-mode stack? and Key Driver Concepts and Tips.

 

 

Send comments about this topic to Microsoft

Show: