CreateProcessNotifyEx routine
The CreateProcessNotifyEx routine notifies a driver when a process is created or exits.
Syntax
VOID CreateProcessNotifyEx(
_Inout_ PEPROCESS Process,
_In_ HANDLE ProcessId,
_In_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo
);
Parameters
Process [in, out]
A pointer to the EPROCESS structure for the process.ProcessId [in]
The process ID of the process.CreateInfo [in, optional]
If this parameter is non-NULL, a new process is being created, and CreateInfo points to a PS_CREATE_NOTIFY_INFO structure that describes the new process. If this parameter is NULL, the specified process is exiting.
Return value
None
Remarks
A driver registers its CreateProcessNotifyEx routine by calling the PsSetCreateProcessNotifyRoutineEx routine.
For a new process, the CreateProcessNotifyEx routine is called after the initial thread is created, but before the thread begins running. The driver can cause the process-creation operation to fail by changing the CreateInfo->CreationStatus member to an NTSTATUS error code.
When the process exits, the CreateProcessNotifyEx routine is called just before the last thread to exit the process is destroyed.
The PS_CREATE_NOTIFY_INFO structure and the structures that it points to are guaranteed to be valid only for the duration of the callback. If the driver requires access to any information from these structures after the callback, the CreateProcessNotifyEx routine should make a copy of this information.
CreateProcessNotifyEx runs at IRQL = PASSIVE_LEVEL. During process creation, the routine runs in the context of the thread that created the new process. During process deletion, the routine runs in the context of the last exiting thread.
Note
Process notifications are not sent for processes that are cloned.
Requirements
Target platform |
|
Version |
Available starting with Windows Server 2008 and Windows Vista with SP1. |
Header |
Ntddk.h (include Ntddk.h or Ntifs.h) |
IRQL |
Called at PASSIVE_LEVEL (see Remarks section). |
See also
PsSetCreateProcessNotifyRoutineEx