PsSetCreateProcessNotifyRoutine Callback

Question

Does the main thread for the process start executing right after creation, or does it begin after the completion of the call back routine?

Answer 1

This doesn't appear to be documented, which implies that there is no guarantee that the thread will not start executing before the callback routine returns.

However, the documentation for the CreateProcessNotifyEx routine says:

For a new process, the CreateProcessNotifyEx routine is called after the initial thread is created, but before the thread begins running. The driver can cause the process-creation operation to fail by changing the CreateInfo->CreationStatus member to an NTSTATUS error code.

So, if you need your notification routine to complete before the initial thread starts running, use PsSetCreateProcessNotifyRoutineEx instead of PsSetCreateProcessNotifyRoutine.