Can we make registry calls from PCREATE_PROCESS_NOTIFY_ROUTINE_EX callback routine?

Can we make registry operations within PCREATE_PROCESS_NOTIFY_ROUTINE_EX function?
I want to store process specific information in the registry.

I’m not aware of anything preventing you from this.
I would add some mechanism to avoid a loopback - in case you’re also monitoring registry operations, check to see that you don’t end up filtering calls you initiated yourself.

In best practices, Microsoft recommends not to use registry calls.
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/windows-kernel-mode-process-and-thread-manager

Is there any potential issue occurs if we make registry calls from PCREATE_PROCESS_NOTIFY_ROUTINE_EX routine?

@yogeshrkhedkar,

Which registry operations you will be doing?
Yup, MSDN clearly mentioned not to do any registry operations and many more, but I think those are guidelines (as per documentation) not RULES.
I believe there are many security products which register with a system for process creation, and in the event callback, they validate the current process using their user mode component to allow or block that process.

So I believe you can do registry operations.
If operations are going to be heavy and you desire to follow the guideline then spawn system thread to do work.

Happy Coding :slight_smile:

Thank you, Sourabh!
The operations are not heavy but I am worried only because of the guidelines from Microsoft.
Also based on the guidelines spawning the thread is not an option since I have to do the stuff inline and will have to wait in the callback which again is not recommended by Microsoft.

Can someone from Microsoft confirm and help in this context?

The operations are not heavy but I am worried only because of the guidelines from Microsoft.
Also based on the guidelines spawning the thread is not an option since I have to do the stuff inline and will have to wait in the callback which again is not recommended by Microsoft.

These guidelines can usually be translated as “doing some of these may lead to deadlock if you are not careful”. For example, you may wait for an usermode component in the process notify ex callback, however, that usermode component must really know what it is doing (and SHOULD not perform any complex operation because some internal locks may be held).

So, just be careful and do more testing and all should be fine.

That’s my experience at least.