I’m using PsSetLoadImageNotifyRoutine to monitor process creation on a Windows 2000 system. This API registers a callback routine that gets called when an image is loaded. The first parameter passed to this callback routine is a pointer to a UNICODE_STRING that contains the image name.
Everything works as expected, until I start a process with some Japanese characters in the image name. When a process of this type is started, I’m not getting the UNICODE_STRING I would expect in my callback routine. Instead, all the Japanese characters have been replaced by an 0x003F (question mark) character. Regular ASCII-type characters are coming through just fine.
Any ideas? Is this a known issue?
Thanks.