PCREATE_PROCESS_NOTIFY_ROUTINE callback function (ntddk.h)
Process-creation callback implemented by a driver to track the system-wide creation and deletion of processes against the driver's internal state.
Warning
The actions that you can perform in this routine are restricted for safe calls. See Best Practices.
Syntax
PCREATE_PROCESS_NOTIFY_ROUTINE PcreateProcessNotifyRoutine;
void PcreateProcessNotifyRoutine(
[in] HANDLE ParentId,
[in] HANDLE ProcessId,
[in] BOOLEAN Create
)
{...}
Parameters
[in] ParentId
The process ID of the parent process.
[in] ProcessId
The process ID of the process.
[in] Create
Indicates whether the process was created (TRUE) or deleted (FALSE).
Return value
None
Remarks
Highest-level drivers call PsSetCreateProcessNotifyRoutine to register their process-creation notify routines.
A driver's process-notify routine is also called with Create set to FALSE, typically when the last thread within a process has terminated and the process address space is about to be deleted.
The operating system calls the driver's process-notify routine at PASSIVE_LEVEL inside a critical region with normal kernel APCs disabled. When a process is created, the process-notify routine runs in the context of the thread that created the new process. When a process is deleted, the process-notify routine runs in the context of the last thread to exit from the process.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Available starting with Windows 2000. |
| Target Platform | Universal |
| Header | ntddk.h (include Ntddk.h) |
| IRQL | PASSIVE_LEVEL |
See also
PsSetCreateProcessNotifyRoutine
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for