PCREATE_THREAD_NOTIFY_ROUTINE - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
// ntddk.h

PCREATE_THREAD_NOTIFY_ROUTINE PcreateThreadNotifyRoutine;

VOID PcreateThreadNotifyRoutine(
  [in] HANDLE ProcessId,
  [in] HANDLE ThreadId,
  [in] BOOLEAN Create
)
{...}

View the official Windows Driver Kit DDI reference

NtDoc

No description available.

Edit description on GitHub

Windows Driver Kit DDI reference (nc-ntddk-pcreate_thread_notify_routine)

PCREATE_THREAD_NOTIFY_ROUTINE callback function

Description

A callback routine implemented by a driver to notify the caller when a thread is created or deleted.

[!WARNING] The actions that you can perform in this routine are restricted for safe calls. See Best Practices.

Parameters

ProcessId [in]

The process ID of the process.

ThreadId [in]

The thread ID of the thread.

Create [in]

Indicates whether the thread was created (TRUE) or deleted (FALSE).

Remarks

Highest-level drivers can call PsSetCreateThreadNotifyRoutine or PsSetCreateThreadNotifyRoutineEx to register their thread-creation notify routine.

The driver's thread-notify routine runs at IRQL = PASSIVE_LEVEL or APC_LEVEL. When a thread is created, the thread-notify routine runs in the context of the thread that created the new thread. When a thread is deleted, the thread-notify routine runs in the context of this thread when the thread exits.

See also

PsSetCreateThreadNotifyRoutine

PsSetCreateThreadNotifyRoutineEx

View the official Windows Driver Kit DDI reference

Edit description on GitHub