Path: news.mitre.org!blanket.mitre.org!philabs!newsjunkie.ans.net!newsfeeds.ans.net!news-was.dfn.de!news-fra1.dfn.de!news-ge.switch.ch!newscore.univie.ac.at!newsfeed.ecrc.net!cpk-news-hub1.bbnplanet.com!cpk-news-feed4.bbnplanet.com!cpk-news-feed1.bbnplanet.com!news.bbnplanet.com!news.iquest.net!not-for-mail
From: "Robert W. Fuller" <edison@iquest.net>
Newsgroups: comp.os.ms-windows.programmer.nt.kernel-mode
Subject: Re: can an NT driver be informed of a new thread or process starting?
Date: Sun, 30 Nov 1997 17:09:45 -0500
Organization: IQuest Internet, Inc.
Lines: 40
Message-ID: <3481E429.8113ADE7@iquest.net>
References: <01bcfdab$ad0fa590$6c65cbc7@assaf>
NNTP-Posting-Host: ind-0013-6.iquest.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 4.04 [en] (WinNT; U)

Assaf Wodeslavsky wrote:
> Does anyone know of a way in which an NT driver could be informed of a new
> task
> starting in the system?

I've successfully used the following undocumented functionality exposed
by NTDDK.H:

	typedef
	VOID
	(*PCREATE_PROCESS_NOTIFY_ROUTINE)(
	    IN HANDLE ParentId,
	    IN HANDLE ProcessId,
	    IN BOOLEAN Create
	    );

	NTSTATUS
	PsSetCreateProcessNotifyRoutine(
	    IN PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,
	    IN BOOLEAN Remove
	    );

	typedef
	VOID
	(*PCREATE_THREAD_NOTIFY_ROUTINE)(
	    IN HANDLE ProcessId,
	    IN HANDLE ThreadId,
	    IN BOOLEAN Create
	    );

	NTSTATUS
	PsSetCreateThreadNotifyRoutine(
	    IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
	    );

The functions work as you would guess.  The BOOLEAN in the
PCREATE_PROCESS_NOTIFY_ROUTINE callback indicates whether a process is
being created or destroyed.  Also, the Remove BOOLEAN in
PsSetCreateProcessNotifyRoutine() deregisters the process
creation/destruction callback.