CreateProcessNotifyEx routine

The CreateProcessNotifyEx routine notifies a driver when a process is created or exits.


VOID CreateProcessNotifyEx(
  _Inout_  PEPROCESS              Process,
  _In_     HANDLE                 ProcessId,
  _In_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo


Process [in, out]

A pointer to the EPROCESS structure for the process.

ProcessId [in]

The process ID of the process.

CreateInfo [in, optional]

If this parameter is non-NULL, a new process is being created, and CreateInfo points to a PS_CREATE_NOTIFY_INFO structure that describes the new process. If this parameter is NULL, the specified process is exiting.

Return value



A driver registers its CreateProcessNotifyEx routine by calling the PsSetCreateProcessNotifyRoutineEx routine.

For a new process, the CreateProcessNotifyEx routine is called after the initial thread is created, but before the thread begins running. The driver can cause the process-creation operation to fail by changing the CreateInfo->CreationStatus member to an NTSTATUS error code.

When the process exits, the CreateProcessNotifyEx routine is called just before the last thread to exit the process is destroyed.

The PS_CREATE_NOTIFY_INFO structure and the structures that it points to are guaranteed to be valid only for the duration of the callback. If the driver requires access to any information from these structures after the callback, the CreateProcessNotifyEx routine should make a copy of this information.

CreateProcessNotifyEx runs at IRQL = PASSIVE_LEVEL. During process creation, the routine runs in the context of the thread that created the new process. During process deletion, the routine runs in the context of the last exiting thread.


Process notifications are not sent for processes that are cloned.



Target platform


Available starting with Windows Server 2008 and Windows Vista with SP1.


Ntddk.h (include Ntddk.h or Ntifs.h)


Called at PASSIVE_LEVEL (see Remarks section).

See also




Send comments about this topic to Microsoft