Make window explorer and mouse not in wait icon while processing callback function

hello, here is my problem in detail:
My driver program registered a callback function with PsSetCreateProcessNotifyRoutineEx. And in case a new process in "D:" drive starting (exe file) by double click, the callback function just “wait” the user’s reply by KeWaitForSingleObject or FltSendMessage, that will allow or block the process.
While the callback waiting user’s decision, the Explorer’s window (at file path) keep spinning, flicker and displays wait cursor. And i don’t like it, i want that window execute like normal.
I don’t know this can be done in Kernelmode or Usermode. I’ve reversed some drivers from AVs but they are too complicated and got no clue.
Could you give me any suggestion or solution? Thank you. :blush:

without looking at all, i’d say this is likely impossible

Windows Explorer presumably uses the ShellExecute function when you click on the file. one way or another it will turn into a CreateProcess call. AFAIK there is no option for this to by async or overlapped so Windows Explorer will block. one of the things that happens as part of this call is calling your notify routine, so if you block, Explorer remains blocked too. if you don’t block, then you loose your opertunity to abort process creation. the only thing you might be able to do is to always abort process creation and then if you later decide that it should have been allowed, redo that operation somehow - presumably from UM and somehow detect that this call should not be aborted in your notify routine

1 Like