well, we have only to wait until the end of the year to see if I’m right
but there are some points to consider
One of the most common ways that malware is discovered is when users notice that something isn’t working as it should. As was the case with the recent SolarWinds problem, malware designed to minimize the disruptions that it causes is harder to detect because no one goes looking. This isn’t something that someone determined to cause mischief worries about, but serious attackers will for sure
A named mutex is one way to ensure that multiple instances of the same program don’t run together. That might be a technique that is used by malware, but it is also used by many other programs including some versions of Office IIRC. But a named mutex is only one of a vast number of ways of preventing multiple instances of the same program from running together. Using the same idea, any named object could be used. A mutex, an event, a section - you could even use a named pipe endpoint. But there are many other ways too. Consider a socket bound to a local port. Or a file or a registry key opened with access and sharing attributes that prevent multiple concurrent handles. And those are only a few of the possible kinds that just rely on a single ‘thing’ - mechanisms that rely on multiple different ‘gates’ are possible as well. Serious malware writers will gravitate to the most obscure and convoluted protocols for mutual exclusion as they are the hardest to observe or understand. There is no effective way to surveil for all of them - even if you had effective heuristics to differentiate between the legitimate patterns and the malware patterns - because there are enough different ‘degrees of freedom’ so that the malware author can just invent a new one that you don’t check for. So this is not an effective method to check for the kind of malware that you actually care about detecting
The performance cost of allowing customization (notify routines) during object creation would not be inconsequential. These functions have a very direct impact on overall application performance and might happen hundreds of thousands of times per second. And any compromised system could have any of these notify routines circumvented anyways, so they would provide no effective protection anyways. The conclusion is that since this feature would be highly deleterious to performance as well as highly ineffective at detecting an ‘infection’, it is sound engineering judgement to omit them from the design of Windows