How to define that process is stopped?

I wrote cash algorithm which keeps some information for active processes inside driver.

The problem is algorithm which destroy appropriate process record, when process is terminated.
I tried to use ProcessNotifyRoutine(). But I see, after driver receive appropriate notification , some callbacks (Registry) continue to be called for terminated PID!?!
It means, that Notification comes BEFORE process is really destroyed, not after.

The question:
How to define that Process is really killed?
I mean the state when all process threads are destroyed and no more callbacks for it be executed.


PS. Currently I realized appropriate algorithm as garbage collector. But I very unlike this solution. :frowning:

Would KeWaitForSingleObject() work for you? You can wait on the process
object to be signaled. This will ensure the process has been terminated.

– Jamey

On Tue, Jan 6, 2015 at 5:05 AM, wrote:

> I wrote cash algorithm which keeps some information for active processes
> inside driver.
> The problem is algorithm which destroy appropriate process record, when
> process is terminated.
> I tried to use ProcessNotifyRoutine(). But I see, after driver receive
> appropriate notification , some callbacks (Registry) continue to be called
> for terminated PID!?!
> It means, that Notification comes BEFORE process is really destroyed, not
> after.
> The question:
> How to define that Process is really killed?
> I mean the state when all process threads are destroyed and no more
> callbacks for it be executed.
> Thanks,
> Regards,
> Michael.
> PS. Currently I realized appropriate algorithm as garbage collector. But I
> very unlike this solution. :frowning:
> —
> NTDEV is sponsored by OSR
> Visit the list at:
> OSR is HIRING!! See
> For our schedule of WDF, WDM, debugging and other seminars visit:
> To unsubscribe, visit the List Server section of OSR Online at

Jamey Kirby
Disrupting the establishment since 1964

This is a personal email account and as such, emails are not subject to
archiving. Nothing else really matters.

thank you for replay!

My 1-st look was - you right, way I did not think about!?! :slight_smile:

But my 2-nd look in MSDN (

KeWaitForSingleObject( Object, …)

Object [in]
Pointer to an initialized dispatcher object (event, mutex, semaphore, thread, or timer) for which the caller supplies the storage.

There is no process handle inside the list. :frowning:
And it’s probably correct - process has the handle but it is not object of dispatcher.

But I will try it, if other recommendation would not coming. :slight_smile:

Thanks a lot,

I believe you can wait on a process object. There is a dispatcher. I see no
reason why it would not work. I have not tried it.

On Tue, Jan 6, 2015 at 10:53 AM, wrote:

> Jamey,
> thank you for replay!
> My 1-st look was - you right, way I did not think about!?! :slight_smile:
> But my 2-nd look in MSDN (
> ):
> KeWaitForSingleObject( Object, …)
> Object [in]
> Pointer to an initialized dispatcher object (event, mutex, semaphore,
> thread, or timer) for which the caller supplies the storage.
> There is no process handle inside the list. :frowning:
> And it’s probably correct - process has the handle but it is not object of
> dispatcher.
> But I will try it, if other recommendation would not coming. :slight_smile:
> Thanks a lot,
> Michael.
> —
> NTDEV is sponsored by OSR
> Visit the list at:
> OSR is HIRING!! See
> For our schedule of WDF, WDM, debugging and other seminars visit:
> To unsubscribe, visit the List Server section of OSR Online at

Jamey Kirby
Disrupting the establishment since 1964

This is a personal email account and as such, emails are not subject to
archiving. Nothing else really matters.

A process is a waitable object.