PCREATE_PROCESS_NOTIFY_ROUTINE_EX - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
// ntddk.h

PCREATE_PROCESS_NOTIFY_ROUTINE_EX PcreateProcessNotifyRoutineEx;

VOID PcreateProcessNotifyRoutineEx(
  [_Inout_]           PEPROCESS Process,
  [in]                HANDLE ProcessId,
  [in, out, optional] PPS_CREATE_NOTIFY_INFO CreateInfo
)
{...}

View the official Windows Driver Kit DDI reference

NtDoc

No description available.

Edit description on GitHub

Windows Driver Kit DDI reference (nc-ntddk-pcreate_process_notify_routine_ex)

PCREATE_PROCESS_NOTIFY_ROUTINE_EX callback function

Description

A callback routine implemented by a driver to notify the caller when a process is created or exits.

[!WARNING] The actions that you can perform in this routine are restricted for safe calls. See Best Practices.

Parameters

Process [_Inout_]

A pointer to the EPROCESS structure that represents the process. Drivers can use the PsGetCurrentProcess and ObReferenceObjectByHandle routines to obtain a pointer to the EPROCESS structure for a process.

ProcessId [in]

The process ID of the process.

CreateInfo [in, out, optional]

A pointer to a PS_CREATE_NOTIFY_INFO structure that contains information about the new process. If this parameter is NULL, the specified process is exiting.

Remarks

Highest-level drivers call PsSetCreateProcessNotifyRoutineEx to register their implementation of PCREATE_PROCESS_NOTIFY_ROUTINE_EX routine. An installable file system (IFS) or highest-level system-profiling driver might register a process-creation callback routine to track which processes are created and deleted against the driver's internal state across the system.

See also

PsSetCreateProcessNotifyRoutineEx

PsSetCreateProcessNotifyRoutineEx2

View the official Windows Driver Kit DDI reference

Edit description on GitHub