Difference between CreateInfo->CreatingThreadId.UniqueProcess and CreateInfo->ParentProcessId?

Hi,

I noticed in a PsSetCreateProcessNotifyRoutineEx callback routine parameter, the PPS_CREATE_NOTIFY_INFO pointer offers what seems to be two distinct ways to determine the parent process.
Is there some difference between the two? If so, what? Indeed the MSDN documentation states this:
"Note that the parent process is not necessarily the same process as the process that created the new process. " for the ParentProcessId field, but what does that mean exactly? Under what circumstances?

I haven’t looked at this for a long time, but it is possible to fork a process ala UNIX. I know in this case the creating process and the parent process are not the same. There may be other cases, but it has been a long time since I went through the process create code.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

If you Right Click->Run as Administrator you’ll see that the two fields are different. UniqueProcess will be something like svchost.exe but ParentProcessId will be explorer.exe.

AFAIK ParentProcessId is better described as InheritedProcessId - this is the id of the process whose user token the new process will normally inherit, to run with the user’s rights and permissions. This would be the explorer.exe shell process, in Scott’s example).

What you get in _CreatingThreadId->UniqueProcessId _is the pid of the thread who actually performed the creation of this new process, which is not necessarily the original requestor.

As Scott said, when you run a process as admin, windows does UAC elevation, and delegates the creation of the new process to an svchost.exe running the AppInfo service which handles elevation for you, and creates the elevated new process, passing explorer.exe’s pid as the (original) parent.

The ParentId is the id of the process whose access token the new process will inherit (often called InheritedProcessId)

If you double click a process from the explorer.exe shell, then it will receive your user’s access token, and inherit other various settings from it, thus making it its parent.

The CreatingThread is the thread that was actually in charge of launching the new process. This could belong to another process, that was actually in charge of the new process creation. In Scott’s example that is the svchost.exe instance running the AppInfo service, that is tasked with creating elevated processes for the user. (See Elevation topic in Windows Internals)