{
	"id": "7772296d-481a-4ab9-b928-c924432246f4",
	"created_at": "2026-04-06T00:19:25.784174Z",
	"updated_at": "2026-04-10T03:20:58.034574Z",
	"deleted_at": null,
	"sha1_hash": "221f08aefad35380141db67f484f0c918dbd1d08",
	"title": "Process Creation Flags (WinBase.h) - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67557,
	"plain_text": "Process Creation Flags (WinBase.h) - Win32 apps\r\nBy Karl-Bridge-Microsoft\r\nArchived: 2026-04-05 22:57:12 UTC\r\nThe following process creation flags are used by the CreateProcess, CreateProcessAsUser,\r\nCreateProcessWithLogonW, and CreateProcessWithTokenW functions. They can be specified in any\r\ncombination, except as noted.\r\n BOOL creationResult;\r\n \r\n creationResult = CreateProcess(\r\n NULL, // No module name (use command line)\r\n cmdLine, // Command line\r\n NULL, // Process handle not inheritable\r\n NULL, // Thread handle not inheritable\r\n FALSE, // Set handle inheritance to FALSE\r\n NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP, // creation flags\r\n NULL, // Use parent's environment block\r\n NULL, // Use parent's starting directory\r\n \u0026startupInfo, // Pointer to STARTUPINFO structure\r\n \u0026processInformation); // Pointer to PROCESS_INFORMATION structure\r\nExample from Windows classic samples on GitHub.\r\nConstant/value Description\r\nCREATE_BREAKAWAY_FROM_JOB\r\n0x01000000\r\nThe child processes of a process associated with a job\r\nare not associated with the job.\r\nIf the calling process is not associated with a job, this\r\nconstant has no effect. If the calling process is\r\nassociated with a job, the job must set the\r\nJOB_OBJECT_LIMIT_BREAKAWAY_OK limit.\r\nCREATE_DEFAULT_ERROR_MODE\r\n0x04000000\r\nThe new process does not inherit the error mode of\r\nthe calling process. Instead, the new process gets the\r\ndefault error mode.\r\nThis feature is particularly useful for multithreaded\r\nshell applications that run with hard errors disabled.\r\nThe default behavior is for the new process to inherit\r\nhttps://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags\r\nPage 1 of 5\n\nConstant/value Description\r\nthe error mode of the caller. Setting this flag changes\r\nthat default behavior.\r\nCREATE_NEW_CONSOLE\r\n0x00000010\r\nThe new process has a new console, instead of\r\ninheriting its parent's console (the default). For more\r\ninformation, see Creation of a Console.\r\nThis flag cannot be used with\r\nDETACHED_PROCESS.\r\nCREATE_NEW_PROCESS_GROUP\r\n0x00000200\r\nThe new process is the root process of a new process\r\ngroup. The process group includes all processes that\r\nare descendants of this root process. The process\r\nidentifier of the new process group is the same as the\r\nprocess identifier, which is returned in the\r\nlpProcessInformation parameter. Process groups are\r\nused by the GenerateConsoleCtrlEvent function to\r\nenable sending a CTRL+BREAK signal to a group of\r\nconsole processes.\r\nIf this flag is specified, CTRL+C signals will be\r\ndisabled for all processes within the new process\r\ngroup.\r\nThis flag is ignored if specified with\r\nCREATE_NEW_CONSOLE.\r\nCREATE_NO_WINDOW\r\n0x08000000\r\nThe process is a console application that is being run\r\nwithout a console window. Therefore, the console\r\nhandle for the application is not set.\r\nThis flag is ignored if the application is not a console\r\napplication, or if it is used with either\r\nCREATE_NEW_CONSOLE or\r\nDETACHED_PROCESS.\r\nCREATE_PROTECTED_PROCESS\r\n0x00040000\r\nThe process is to be run as a protected process. The\r\nsystem restricts access to protected processes and the\r\nthreads of protected processes. For more information\r\non how processes can interact with protected\r\nprocesses, see Process Security and Access Rights.\r\nTo activate a protected process, the binary must have\r\na special signature. This signature is provided by\r\nMicrosoft but not currently available for non-Microsoft binaries. There are currently four protected\r\nprocesses: media foundation, audio engine, Windows\r\nhttps://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags\r\nPage 2 of 5\n\nConstant/value Description\r\nerror reporting, and system. Components that load\r\ninto these binaries must also be signed. Multimedia\r\ncompanies can leverage the first two protected\r\nprocesses. For more information, see Overview of the\r\nProtected Media Path.\r\nWindows Server 2003 and Windows XP: This\r\nvalue is not supported.\r\nCREATE_PRESERVE_CODE_AUTHZ_LEVEL\r\n0x02000000\r\nAllows the caller to execute a child process that\r\nbypasses the process restrictions that would normally\r\nbe applied automatically to the process.\r\nCREATE_SECURE_PROCESS\r\n0x00400000\r\nThis flag allows secure processes, that run in the\r\nVirtualization-Based Security environment, to launch.\r\nCREATE_SEPARATE_WOW_VDM\r\n0x00000800\r\nThis flag is valid only when starting a 16-bit\r\nWindows-based application. If set, the new process\r\nruns in a private Virtual DOS Machine (VDM). By\r\ndefault, all 16-bit Windows-based applications run as\r\nthreads in a single, shared VDM. The advantage of\r\nrunning separately is that a crash only terminates the\r\nsingle VDM; any other programs running in distinct\r\nVDMs continue to function normally. Also, 16-bit\r\nWindows-based applications that are run in separate\r\nVDMs have separate input queues. That means that if\r\none application stops responding momentarily,\r\napplications in separate VDMs continue to receive\r\ninput. The disadvantage of running separately is that\r\nit takes significantly more memory to do so. You\r\nshould use this flag only if the user requests that 16-\r\nbit applications should run in their own VDM.\r\nCREATE_SHARED_WOW_VDM\r\n0x00001000\r\nThe flag is valid only when starting a 16-bit\r\nWindows-based application. If the\r\nDefaultSeparateVDM switch in the Windows section\r\nof WIN.INI is TRUE, this flag overrides the switch.\r\nThe new process is run in the shared Virtual DOS\r\nMachine.\r\nhttps://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags\r\nPage 3 of 5\n\nConstant/value Description\r\nCREATE_SUSPENDED\r\n0x00000004\r\nThe primary thread of the new process is created in a\r\nsuspended state, and does not run until the\r\nResumeThread function is called.\r\nCREATE_UNICODE_ENVIRONMENT\r\n0x00000400\r\nIf this flag is set, the environment block pointed to by\r\nlpEnvironment uses Unicode characters. Otherwise,\r\nthe environment block uses ANSI characters.\r\nDEBUG_ONLY_THIS_PROCESS\r\n0x00000002\r\nThe calling thread starts and debugs the new process.\r\nIt can receive all related debug events using the\r\nWaitForDebugEvent function.\r\nDEBUG_PROCESS\r\n0x00000001\r\nThe calling thread starts and debugs the new process\r\nand all child processes created by the new process. It\r\ncan receive all related debug events using the\r\nWaitForDebugEvent function.\r\nA process that uses DEBUG_PROCESS becomes\r\nthe root of a debugging chain. This continues until\r\nanother process in the chain is created with\r\nDEBUG_PROCESS.\r\nIf this flag is combined with\r\nDEBUG_ONLY_THIS_PROCESS, the caller\r\ndebugs only the new process, not any child processes.\r\nDETACHED_PROCESS\r\n0x00000008\r\nFor console processes, the new process does not\r\ninherit its parent's console (the default). The new\r\nprocess can call the AllocConsole function at a later\r\ntime to create a console. For more information, see\r\nCreation of a Console.\r\nThis value cannot be used with\r\nCREATE_NEW_CONSOLE.\r\nEXTENDED_STARTUPINFO_PRESENT\r\n0x00080000\r\nThe process is created with extended startup\r\ninformation; the lpStartupInfo parameter specifies a\r\nSTARTUPINFOEX structure.\r\nWindows Server 2003 and Windows XP: This\r\nvalue is not supported.\r\nINHERIT_PARENT_AFFINITY\r\n0x00010000\r\nThe process inherits its parent's affinity. If the parent\r\nprocess has threads in more than one processor\r\ngroup, the new process inherits the group-relative\r\naffinity of an arbitrary group in use by the parent.\r\nhttps://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags\r\nPage 4 of 5\n\nConstant/value Description\r\nWindows Server 2008, Windows Vista, Windows\r\nServer 2003 and Windows XP: This value is not\r\nsupported.\r\nOn 32-bit Windows, 16-bit applications are simulated by ntvdm.exe, not run as individual processes. Therefore,\r\nthe process creation flags apply to ntvdm.exe. Because ntvdm.exe persists after you run the first 16-bit application,\r\nwhen you launch another 16-bit application, the new creation flags are not applied, except for\r\nCREATE_NEW_CONSOLE and CREATE_SEPARATE_WOW_VDM, which create a new ntvdm.exe.\r\nRequirement Value\r\nMinimum supported client Windows XP [desktop apps only]\r\nMinimum supported server Windows Server 2003 [desktop apps only]\r\nHeader WinBase.h (include Windows.h)\r\nSource: https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags\r\nhttps://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags"
	],
	"report_names": [
		"process-creation-flags"
	],
	"threat_actors": [],
	"ts_created_at": 1775434765,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/221f08aefad35380141db67f484f0c918dbd1d08.pdf",
		"text": "https://archive.orkl.eu/221f08aefad35380141db67f484f0c918dbd1d08.txt",
		"img": "https://archive.orkl.eu/221f08aefad35380141db67f484f0c918dbd1d08.jpg"
	}
}