{
	"id": "f224759d-80f8-46ec-bd59-a637cbebd72b",
	"created_at": "2026-04-06T00:10:52.114351Z",
	"updated_at": "2026-04-10T03:22:07.913665Z",
	"deleted_at": null,
	"sha1_hash": "be566fe9278b54c4d517be9c1b053b716a5fd25a",
	"title": "PsSetCreateProcessNotifyRoutine function (ntddk.h) - Windows drivers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54199,
	"plain_text": "PsSetCreateProcessNotifyRoutine function (ntddk.h) - Windows\r\ndrivers\r\nBy EliotSeattle\r\nArchived: 2026-04-05 16:01:38 UTC\r\nThe PsSetCreateProcessNotifyRoutine routine adds a driver-supplied callback routine to, or removes it from, a\r\nlist of routines to be called whenever a process is created or deleted.\r\nSyntax\r\nNTSTATUS PsSetCreateProcessNotifyRoutine(\r\n [in] PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,\r\n [in] BOOLEAN Remove\r\n);\r\nParameters\r\n[in] NotifyRoutine\r\nSpecifies the entry point of a caller-supplied process-creation callback routine. See\r\nPCREATE_PROCESS_NOTIFY_ROUTINE.\r\n[in] Remove\r\nIndicates whether the routine specified by NotifyRoutine should be added to or removed from the system's list of\r\nnotification routines. If FALSE, the specified routine is added to the list. If TRUE, the specified routine is\r\nremoved from the list.\r\nReturn value\r\nPsSetCreateProcessNotifyRoutine can return one of the following:\r\nReturn code Description\r\nSTATUS_SUCCESS The given NotifyRoutine is now registered with the system.\r\nSTATUS_INVALID_PARAMETER\r\nThe given NotifyRoutine has already been registered, so this call is a\r\nredundant call, or the system has reached its limit for registering\r\nprocess-creation callbacks.\r\nhttps://msdn.microsoft.com/library/windows/hardware/ff559951.aspx\r\nPage 1 of 2\n\nHighest-level drivers can call PsSetCreateProcessNotifyRoutine to set up their process-creation notify routines\r\nimplemented as PCREATE_PROCESS_NOTIFY_ROUTINE.\r\nAn IFS or highest-level system-profiling driver might register a process-creation callback to track the system-wide\r\ncreation and deletion of processes against the driver's internal state. For Windows Vista and later versions of\r\nWindows, the system can register up to 64 process-creation callback routines.\r\nA driver must remove any callbacks that it registers before it unloads. You can remove the callback by calling\r\nPsSetCreateProcessNotify with Remove = TRUE. A driver must not make this call from its implementation of\r\nthe PCREATE_PROCESS_NOTIFY_ROUTINE callback routine.\r\nAfter a driver-supplied routine is registered, it is called with Create set to TRUE just after the initial thread is\r\ncreated within the newly created process designated by the input ProcessId handle. The input ParentId handle\r\nidentifies the parent process of the newly-created process (this is the parent used for priority, affinity, quota, token,\r\nand handle inheritance, among others).\r\nRequirements\r\nSee also\r\nPCREATE_PROCESS_NOTIFY_ROUTINE\r\nPsGetCurrentProcessId\r\nPsSetCreateProcessNotifyRoutineEx\r\nPsSetCreateThreadNotifyRoutine\r\nPsSetLoadImageNotifyRoutine\r\nSource: https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx\r\nhttps://msdn.microsoft.com/library/windows/hardware/ff559951.aspx\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx"
	],
	"report_names": [
		"ff559951.aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775434252,
	"ts_updated_at": 1775791327,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/be566fe9278b54c4d517be9c1b053b716a5fd25a.pdf",
		"text": "https://archive.orkl.eu/be566fe9278b54c4d517be9c1b053b716a5fd25a.txt",
		"img": "https://archive.orkl.eu/be566fe9278b54c4d517be9c1b053b716a5fd25a.jpg"
	}
}