Queries About PsSetCreateProcessNotifyRoutine

Priyanka_Mohite · March 12, 2007, 7:52am

Hi,

I have registered PsSetCreateProcessNotifyRoutine and PsSetLoadImageNotifyRoutine. I have a few queries regarding these:

Is the notification routine “always” called in the context of the process being created/ terminated?
When the notification routine is called for a process being created, is the node (EPROCESS block) for that process already created and present in the ActiveProcesses List or is it created after the notification routine is called?
Similarly, when the notification routine is called for a process being terminated, is the node (EPROCESS block) for that process removed from the ActiveProcess List before calling the notification routine or after the notification routine is called?
If i call KeWaitForSingleObject(…) in the notification routine, will the actual process creation wait or proceed?
for e.g. If the notification routine is called in the terminating process context, then if i wait in the routine the terminating should also wait??

Thanks in advance!!

-Priyanka.

anton_bassov · March 12, 2007, 10:59pm

> 1. Is the notification routine “always” called in the context of the process

being created/ terminated?

No - it may run in context of a system process as well…

When the notification routine is called for a process being created, is the
node (EPROCESS block) for that process already created and present in the
ActiveProcesses List or is it created after the notification routine is called?

Similarly, when the notification routine is called for a process being
terminated, is the node (EPROCESS block) for that process removed from the
ActiveProcess List before calling the notification routine or after the
notification routine is called?

Judging from the fact that callbacks receives PID as a parameter, EPROCESS has to be on the process list at the time of callback invocation…

If i call KeWaitForSingleObject(…) in the notification routine, will the
actual process creation wait or proceed?
for e.g. If the notification routine is called in the terminating process
context, then if i wait in the routine the terminating should also wait??

I would say that callback does not have any influence on process creation/termination whatsoever - after all, this is nothing more than just a notification. Furthermore, callback does not seem to get invoked in context of process creator/terminator, so that waiting in it would hardly change anything…

Anton Bassov

OSR_Community_User · March 13, 2007, 12:36am

>I would say that callback does not have any influence on process creation/termination whatsoever - after all, this is nothing more than just a notification. Furthermore, callback does not seem to get invoked in context of process creator/terminator, so that waiting in it would hardly change anything…

The initial thread will not begin to execute until this callback completes.

OSR_Community_User · March 13, 2007, 8:34am

> Judging from the fact that callbacks receives PID as a parameter,

EPROCESS has to be on the process list at the time of callback invocation…
… yes, but it seems that EPROCESS and/or other relevant structs
are not 100% constructed just yet at the moment when the CB happens.

IIRC, an attempt to get the image name in a process creation CB using
the approach close to what was published in July-August’06 of
“The NT Insider” [after appropriate replacement of NtCurrentProcess()
by pid value I get in a CB] failed.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Monday, March 12, 2007 11:00 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Queries About PsSetCreateProcessNotifyRoutine

Is the notification routine “always” called in the context of the process
being created/ terminated?