Is there a way for a process to be started without going through
CreateProcess (or CreateProcessWithLogon)?
When trapping on CreateProcess* I see only three calls to start the program,
but in the task list it appears about six times.
Can a running process “clone” itself into a new process without going
through CreateProcess?
Thanks.
How are you trapping on CreateProcess and which version of Windows is
this? I know there is some weird handling with fork like processing, it
has been a long time since I looked at this. IIRC the CreateProcess
callback worked ok, but the LoadImageNotify did not in that case (at
least not for all versions of windows).
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Neil Weicher” wrote in message news:xxxxx@ntfsd:
> Is there a way for a process to be started without going through
> CreateProcess (or CreateProcessWithLogon)?
>
> When trapping on CreateProcess* I see only three calls to start the program,
> but in the task list it appears about six times.
>
> Can a running process “clone” itself into a new process without going
> through CreateProcess?
>
> Thanks.
Once, to satisfy morbid curiosity, I single-stepped through CreateProcess.
My memory is that this is implemented entirely in ntdll.dll, and calls a
lot of native-interface functions in the kernel. That was in XP, I don’t
know if things have changed in Vista or Win7.
joe
How are you trapping on CreateProcess and which version of Windows is
this? I know there is some weird handling with fork like processing, it
has been a long time since I looked at this. IIRC the CreateProcess
callback worked ok, but the LoadImageNotify did not in that case (at
least not for all versions of windows).Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr“Neil Weicher” wrote in message news:xxxxx@ntfsd:
>
>> Is there a way for a process to be started without going through
>> CreateProcess (or CreateProcessWithLogon)?
>>
>> When trapping on CreateProcess* I see only three calls to start the
>> program,
>> but in the task list it appears about six times.
>>
>> Can a running process “clone” itself into a new process without going
>> through CreateProcess?
>>
>> Thanks.
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>