Hi,
This is a little bit off-topic question.
I need to watch all threads which have been created in the system.
So I created the thread-create hook, using
PsSetCreateThreadNotifyRoutine. All threads created in the system
are “marked” somehow (imagine setting some thread-specific data).
When this thread does an file I/O, I use this information.
Now I found a case when the thread is “not marked”
in the time when its first I/O arrives into my filter.
The thread belongs to LSASS, all other threads of this
process are “marked” well.
(I only note that my driver is loaded far sooner than LSASS).
I suspect that the thread’s first I/O came before the thread
creation notify routine completes.
Can anyone approve or disprove this suspection ?
L.