https://stackoverflow.com/questions/22586006
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianThis doesn't appear to be documented, which implies that there is no guarantee that the thread will not start executing before the callback routine returns.
However, the documentation for the CreateProcessNotifyEx routine says:
For a new process, the CreateProcessNotifyEx routine is called after the initial thread is created, but before the thread begins running. The driver can cause the process-creation operation to fail by changing the CreateInfo->CreationStatus member to an NTSTATUS error code.
So, if you need your notification routine to complete before the initial thread starts running, use PsSetCreateProcessNotifyRoutineEx instead of PsSetCreateProcessNotifyRoutine.
