Question about PsSetCreateProcessNotifyRoutine

Hello,

Does Windows guarantee that both creation and termination callbacks are always called
and called in the sequential order, i.e. the termination callback is called only after
the creation callback is complete?

After reading the documentation for PsSetCreateProcessNotifyRoutine,
I feel some uncertainty.

It states that the creation callback is called in the context of the parent process just
after the first thread in the new process has been created,
and the termination callback is called in the context of the last exiting
thread of the process.

So, my thinking is: what will happen if the first thread in the process exits
immediately?

I would never assume that such sequential order be always exist. I don’t know such implementation in Windows but from my experience I would not relay on this. If you have any shared data you need properly synchronize it. And your stuff with such synchronization would safely work in any cases.

Igor Sharovar

Thanks Igor.

I am mainly interested if the process is guaranteed to exist when my process creation notification
callback is called, and that this callback is guaranteed to be called.

>what will happen if the first thread in the process exits immediately

IIRC, MSDN states that process creation callback is guaranteed to get invoked BEFORE the primary thread starts running. If this is ,indeed, the case, then we can logically arrive to a conclusion that creation callback is guaranteed to precede the termination one, because the target thread has to make a return to the UM in order to get terminated, which means it has to start running…

I am mainly interested if the process is guaranteed to exist when my process creation notification
callback is called,

IIRC, starting from Vista creation callback allows you to block process creation. Therefore, apparently,
a process may not yet exist (i.e. all stages of its creation have not yet been accomplished) at the time of callback invocation

Anton Bassov

Thanks Anton.

I see this comment in the documentation for CreateProcessNotifyEx() which is
available on Vista SP1 and later,
but not in the documentation for PsSetCreateProcessNotifyRoutine().

Is it just a documentation bug, or the actual implementation is
different for these routines?

You need to handle the case of processes starting before you register your start routine having exited, so you likely need to handle this case anyway.

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Friday, September 04, 2009 2:06 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Question about PsSetCreateProcessNotifyRoutine

Thanks Igor.

I am mainly interested if the process is guaranteed to exist when my process creation notification
callback is called, and that this callback is guaranteed to be called.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> You need to handle the case of processes starting before you register your start routine having exited,

WEll, this problem can be solved simply by specifying the appropriate start type for a service and registering callbacks right in DriverEntry() . All you have to do here is to ensure that your driver has registered its callbacks before any user processes have a chance to run, and, at this point, the problem solves itself. Normally you would not expect a driver that registers these callbacks to deal with any actual hardware stack, so that his service is quite unlikely to be controlled by PnP Manager - instead, apparently its start is controlled via SCM, and, hence, the OP can specify any start type he wishes…

Anton Bassov

Thanks all for your comments!

Disassembling nt!NtCreateThread, there is a call to ExAcquireRundownProtection
for the owning process, and then there is a loop calling create process notifications.

So it seems like the process is guaranteed to exist while the create notifications
are called.

Yes, although it may be undesirable to require a reboot on installation.

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Friday, September 04, 2009 8:13 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Question about PsSetCreateProcessNotifyRoutine

You need to handle the case of processes starting before you register your start routine having exited,

WEll, this problem can be solved simply by specifying the appropriate start type for a service and registering callbacks right in DriverEntry() . All you have to do here is to ensure that your driver has registered its callbacks before any user processes have a chance to run, and, at this point, the problem solves itself. Normally you would not expect a driver that registers these callbacks to deal with any actual hardware stack, so that his service is quite unlikely to be controlled by PnP Manager - instead, apparently its start is controlled via SCM, and, hence, the OP can specify any start type he wishes…

Anton Bassov


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer