IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION interceptprocess-creation and Command line

I am looking way to obtain command parameter for the process about to be created as one could intercept the process creation with PAGE_EXECUTE and SyncTypeCreateSection. I am looking for example/suggestion/sample in obtaining the full command line for the process being created. Unfortunately, PsSetCreateProcessNotifyRoutineEx and the surrounding capabilities are not available in this case.

There is no concept of the command line at this level.

What exactly are you trying to do? If you need information about process
creation why not just use PsSetCreateProcessNotifyRoutineEx?

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntfsd…

I am looking way to obtain command parameter for the process about to be
created as one could intercept the process creation with PAGE_EXECUTE and
SyncTypeCreateSection. I am looking for example/suggestion/sample in
obtaining the full command line for the process being created.
Unfortunately, PsSetCreateProcessNotifyRoutineEx and the surrounding
capabilities are not available in this case.