Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Difference between CreateInfo->CreatingThreadId.UniqueProcess and CreateInfo->ParentProcessId?

Greg_LindorGreg_Lindor Member Posts: 4

Hi,

I noticed in a PsSetCreateProcessNotifyRoutineEx callback routine parameter, the PPS_CREATE_NOTIFY_INFO pointer offers what seems to be two distinct ways to determine the parent process.
Is there some difference between the two? If so, what? Indeed the MSDN documentation states this:
"Note that the parent process is not necessarily the same process as the process that created the new process. " for the ParentProcessId field, but what does that mean exactly? Under what circumstances?

Comments

  • Don_BurnDon_Burn Member - All Emails Posts: 1,645
    via Email
    I haven't looked at this for a long time, but it is possible to fork a process ala UNIX. I know in this case the creating process and the parent process are not the same. There may be other cases, but it has been a long time since I went through the process create code.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,050

    If you Right Click->Run as Administrator you'll see that the two fields are different. UniqueProcess will be something like svchost.exe but ParentProcessId will be explorer.exe.

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Developing Minifilters 8 April 2019 OSR Seminar Space