My driver intercepts CreateProcess via CreateProcessNotification CB (win7x64). I am observing a certain process in WinDbg: the process was created 8 minutes ago but had run 0 ms in UserMode and 0 ms in KernelMode (it “hangs”). It has one thread only, and technically it is not yet created. The only thread it has tries to open a synchronous socket and is blocked waiting. The thread has a pending IRP and an APC scheduled to a thread.
My question is: how can a process which is not yet created have a thread with an active IRP and APC? How is this situation possible at all?
Thanks.