I noticed in a PsSetCreateProcessNotifyRoutineEx callback routine parameter, the PPS_CREATE_NOTIFY_INFO pointer offers what seems to be two distinct ways to determine the parent process.
Is there some difference between the two? If so, what? Indeed the MSDN documentation states this:
"Note that the parent process is not necessarily the same process as the process that created the new process. " for the ParentProcessId field, but what does that mean exactly? Under what circumstances?
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Developing Minifilters||29 July 2019||OSR Seminar Space|
|Writing WDF Drivers||23 Sept 2019||OSR Seminar Space|
|Kernel Debugging||21 Oct 2019||OSR Seminar Space|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|