RE: Win2K3 Server : PsRemoveCreateThreadNotifyRoutine sup ported?

PsRemoveCreateThreadNotifyRoutine is in ntddk.h while it appears that
PsRemoveProcessCreateNotifyRoutine is not. In addition, as far as I can
tell, PsRemoveProcessCreateNotifyRoutine is not present in w2k3 or w2k3sp1.

=====================
Mark Roddy

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Christopher D.
Russell
Sent: Tuesday, May 17, 2005 5:04 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Win2K3 Server : PsRemoveCreateThreadNotifyRoutine
supported?

Hello, I am developing a driver specifically for Windows Server 2003 and
wonder if PsRemoveThreadCreateNotifyRoutine and
PsRemoveProcessCreateNotifyRoutine are officially supported or not. There
is no mention of either of these API’s in the 3790 DDK documentation.
However, they are documented on MSDN and more recent DDK’s. Further, calls
to these API’s are resolved by the linker and I thought they were working
correctly. However, I’m now questioning if the calls are really doing all
they’re supposed to be doing.

Does anyone here have any definitive knowledge about if these are really
supported on WS2K3 or not?

  • Regards
    Chris

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

PsSetCreateProcessNotifyRoutine() has two parameters and the second tells if add or remove routine. It is documented in the DDK whereas PsRemoveCreateThreadNotifyRoutine() isn’t.

It is confusing to have one routine for process and two for thread create notification but it is probably because originally (NT4 or w2k) there was no possibility to remove create thread notify routine.

As for the original question, I only used PsSetCreateProcessNotifyRoutine() and yes, both set and remove work as expected. The only problem can be limited number of registered routines, I guess the maximum number is 8.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]


From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Roddy, Mark[SMTP:xxxxx@stratus.com]
Reply To: Windows System Software Devs Interest List
Sent: Tuesday, May 17, 2005 11:17 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Win2K3 Server : PsRemoveCreateThreadNotifyRoutine sup ported?

PsRemoveCreateThreadNotifyRoutine is in ntddk.h while it appears that
PsRemoveProcessCreateNotifyRoutine is not. In addition, as far as I can
tell, PsRemoveProcessCreateNotifyRoutine is not present in w2k3 or w2k3sp1.

=====================
Mark Roddy

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Christopher D.
Russell
Sent: Tuesday, May 17, 2005 5:04 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Win2K3 Server : PsRemoveCreateThreadNotifyRoutine
supported?

Hello, I am developing a driver specifically for Windows Server 2003 and
wonder if PsRemoveThreadCreateNotifyRoutine and
PsRemoveProcessCreateNotifyRoutine are officially supported or not. There
is no mention of either of these API’s in the 3790 DDK documentation.
However, they are documented on MSDN and more recent DDK’s. Further, calls
to these API’s are resolved by the linker and I thought they were working
correctly. However, I’m now questioning if the calls are really doing all
they’re supposed to be doing.

Does anyone here have any definitive knowledge about if these are really
supported on WS2K3 or not?

  • Regards
    Chris

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@upek.com
To unsubscribe send a blank email to xxxxx@lists.osr.com