PsSetCreateThreadNotifyRoutine - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
// ntddk.h

NTSTATUS PsSetCreateThreadNotifyRoutine(
  [in] PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
);

View the official Windows Driver Kit DDI reference

NtDoc

No description available.

Edit description on GitHub

Windows Driver Kit DDI reference (nf-ntddk-pssetcreatethreadnotifyroutine)

Description

The PsSetCreateThreadNotifyRoutine routine registers a driver-supplied callback that is subsequently notified when a new thread is created and when such a thread is deleted.

Parameters

NotifyRoutine [in]

A pointer to the driver's implementation of PCREATE_THREAD_NOTIFY_ROUTINE routine.

Return value

PsSetCreateThreadNotifyRoutine either returns STATUS_SUCCESS or it returns STATUS_INSUFFICIENT_RESOURCES if it failed the callback registration.

Remarks

Highest-level drivers can call PsSetCreateThreadNotifyRoutine to set up their thread-creation notify routines, declared as follows:

VOID
(*PCREATE_THREAD_NOTIFY_ROUTINE) (
    IN HANDLE  ProcessId,
    IN HANDLE  ThreadId,
    IN BOOLEAN  Create
    );

For example, an IFS or highest-level system-profiling driver might register such a thread-creation callback to track the system-wide creation and deletion of threads against the driver's internal state.

A driver must remove any callbacks it registers before it unloads. You can remove the callback by calling the PsRemoveCreateThreadNotifyRoutine routine.

See also

PsGetCurrentProcessId

PsGetCurrentThreadId

PsIsSystemThread

PsRemoveCreateThreadNotifyRoutine

PsSetCreateProcessNotifyRoutine

PsSetLoadImageNotifyRoutine

View the official Windows Driver Kit DDI reference

Edit description on GitHub