PCREATE_PROCESS_NOTIFY_ROUTINE_EX callback function (ntddk.h)
A callback routine implemented by a driver to notify the caller when a process is created or exits.
Warning
The actions that you can perform in this routine are restricted for safe calls. See Best Practices.
Syntax
PCREATE_PROCESS_NOTIFY_ROUTINE_EX PcreateProcessNotifyRoutineEx;
void PcreateProcessNotifyRoutineEx(
[_Inout_] PEPROCESS Process,
[in] HANDLE ProcessId,
[in, out, optional] PPS_CREATE_NOTIFY_INFO CreateInfo
)
{...}
Parameters
[_Inout_] Process
A pointer to the EPROCESS structure that represents the process. Drivers can use the PsGetCurrentProcess and ObReferenceObjectByHandle routines to obtain a pointer to the EPROCESS structure for a process.
[in] ProcessId
The process ID of the process.
[in, out, optional] CreateInfo
A pointer to a PS_CREATE_NOTIFY_INFO structure that contains information about the new process. If this parameter is NULL, the specified process is exiting.
Return value
None
Remarks
Highest-level drivers call PsSetCreateProcessNotifyRoutineEx to register their implementation of PCREATE_PROCESS_NOTIFY_ROUTINE_EX routine. An installable file system (IFS) or highest-level system-profiling driver might register a process-creation callback routine to track which processes are created and deleted against the driver's internal state across the system.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Available starting with Windows 2000. |
| Target Platform | Universal |
| Header | ntddk.h (include Ntddk.h) |
| IRQL | PASSIVE_LEVEL |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for