I noticed in a PsSetCreateProcessNotifyRoutineEx callback routine parameter, the PPS_CREATE_NOTIFY_INFO pointer offers what seems to be two distinct ways to determine the parent process.
Is there some difference between the two? If so, what? Indeed the MSDN documentation states this:
"Note that the parent process is not necessarily the same process as the process that created the new process. " for the ParentProcessId field, but what does that mean exactly? Under what circumstances?
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Writing WDF Drivers||25 Feb 2019||OSR Seminar Space|
|Developing Minifilters||8 April 2019||OSR Seminar Space|