{
	"id": "85b53941-67dd-41f1-a215-ab57f135addc",
	"created_at": "2026-04-06T03:37:52.171107Z",
	"updated_at": "2026-04-10T03:20:17.636838Z",
	"deleted_at": null,
	"sha1_hash": "e80e3664e2702f1bedae9035a9a68c717ef114b2",
	"title": "CreateProcessA function (processthreadsapi.h) - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 98705,
	"plain_text": "CreateProcessA function (processthreadsapi.h) - Win32 apps\r\nBy karl-bridge-microsoft\r\nArchived: 2026-04-06 03:31:25 UTC\r\nCreates a new process and its primary thread. The new process runs in the security context of the calling process.\r\nIf the calling process is impersonating another user, the new process uses the token for the calling process, not the\r\nimpersonation token. To run the new process in the security context of the user represented by the impersonation\r\ntoken, use the CreateProcessAsUserA function or CreateProcessWithLogonW function.\r\nBOOL CreateProcessA(\r\n [in, optional] LPCSTR lpApplicationName,\r\n [in, out, optional] LPSTR lpCommandLine,\r\n [in, optional] LPSECURITY_ATTRIBUTES lpProcessAttributes,\r\n [in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes,\r\n [in] BOOL bInheritHandles,\r\n [in] DWORD dwCreationFlags,\r\n [in, optional] LPVOID lpEnvironment,\r\n [in, optional] LPCSTR lpCurrentDirectory,\r\n [in] LPSTARTUPINFOA lpStartupInfo,\r\n [out] LPPROCESS_INFORMATION lpProcessInformation\r\n);\r\n[in, optional] lpApplicationName\r\nThe name of the module to be executed. This module can be a Windows-based application. It can be some other\r\ntype of module (for example, MS-DOS or OS/2) if the appropriate subsystem is available on the local computer.\r\nThe string can specify the full path and file name of the module to execute or it can specify a partial name. In the\r\ncase of a partial name, the function uses the current drive and current directory to complete the specification. The\r\nfunction will not use the search path. This parameter must include the file name extension; no default extension is\r\nassumed.\r\nThe lpApplicationName parameter can be NULL. In that case, the module name must be the first white space–\r\ndelimited token in the lpCommandLine string. If you are using a long file name that contains a space, use quoted\r\nstrings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For\r\nexample, consider the string \"c:\\program files\\sub dir\\program name\". This string can be interpreted in a number\r\nof ways. The system tries to interpret the possibilities in the following order:\r\n1. c:\\program.exe\r\n2. c:\\program files\\sub.exe\r\n3. c:\\program files\\sub dir\\program.exe\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa\r\nPage 1 of 8\n\n4. c:\\program files\\sub dir\\program name.exe\r\nIf the executable module is a 16-bit application, lpApplicationName should be NULL, and the string pointed to by\r\nlpCommandLine should specify the executable module as well as its arguments.\r\nTo run a batch file, you must start the command interpreter; set lpApplicationName to cmd.exe and set\r\nlpCommandLine to the following arguments: /c plus the name of the batch file.\r\n[in, out, optional] lpCommandLine\r\nThe command line to be executed.\r\nThe maximum length of this string is 32,767 characters, including the Unicode terminating null character. If\r\nlpApplicationName is NULL, the module name portion of lpCommandLine is limited to MAX_PATH characters.\r\nThe Unicode version of this function, CreateProcessW, can modify the contents of this string. Therefore, this\r\nparameter cannot be a pointer to read-only memory (such as a const variable or a literal string). If this parameter\r\nis a constant string, the function may cause an access violation.\r\nThe lpCommandLine parameter can be NULL. In that case, the function uses the string pointed to by\r\nlpApplicationName as the command line.\r\nIf both lpApplicationName and lpCommandLine are non-NULL, the null-terminated string pointed to by\r\nlpApplicationName specifies the module to execute, and the null-terminated string pointed to by lpCommandLine\r\nspecifies the command line. The new process can use GetCommandLine to retrieve the entire command line.\r\nConsole processes written in C can use the argc and argv arguments to parse the command line. Because argv[0]\r\nis the module name, C programmers generally repeat the module name as the first token in the command line.\r\nIf lpApplicationName is NULL, the first white space–delimited token of the command line specifies the module\r\nname. If you are using a long file name that contains a space, use quoted strings to indicate where the file name\r\nends and the arguments begin (see the explanation for the lpApplicationName parameter). If the file name does not\r\ncontain an extension, .exe is appended. Therefore, if the file name extension is .com, this parameter must include\r\nthe .com extension. If the file name ends in a period (.) with no extension, or if the file name contains a path, .exe\r\nis not appended. If the file name does not contain a directory path, the system searches for the executable file in\r\nthe following sequence:\r\nThe directory from which the application loaded.\r\nThe current directory for the parent process.\r\nThe 32-bit Windows system directory. Use the GetSystemDirectoryA function function to get the path of\r\nthis directory.\r\nThe 16-bit Windows system directory. There is no function that obtains the path of this directory, but it is\r\nsearched. The name of this directory is System.\r\nThe Windows directory. Use the GetWindowsDirectoryA function to get the path of this directory.\r\nThe directories that are listed in the PATH environment variable. Note that this function does not search the\r\nper-application path specified by the App Paths registry key. To include this per-application path in the\r\nsearch sequence, use the ShellExecute function.\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa\r\nPage 2 of 8\n\nThe system adds a terminating null character to the command-line string to separate the file name from the\r\narguments. This divides the original string into two strings for internal processing.\r\n[in, optional] lpProcessAttributes\r\nA pointer to a SECURITY_ATTRIBUTES structure that determines whether the returned handle to the new\r\nprocess object can be inherited by child processes. If lpProcessAttributes is NULL, the handle cannot be inherited.\r\nThe lpSecurityDescriptor member of the structure specifies a security descriptor for the new process. If\r\nlpProcessAttributes is NULL or lpSecurityDescriptor is NULL, the process gets a default security descriptor.\r\nThe ACLs in the default security descriptor for a process come from the primary token of the creator.\r\nWindows XP: The ACLs in the default security descriptor for a process come from the primary or impersonation\r\ntoken of the creator. This behavior changed with Windows XP with SP2 and Windows Server 2003.\r\n[in, optional] lpThreadAttributes\r\nA pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new thread and\r\ndetermines whether child processes can inherit the returned handle. If lpThreadAttributes is NULL, the thread gets\r\na default security descriptor and the handle cannot be inherited. The access control lists (ACL) in the default\r\nsecurity descriptor for a thread come from the primary token of the creator.\r\n[in] bInheritHandles\r\nIf this parameter is TRUE, each inheritable handle in the calling process is inherited by the new process. If the\r\nparameter is FALSE, the handles are not inherited. Note that inherited handles have the same value and access\r\nrights as the original handles. For additional discussion of inheritable handles, see Remarks.\r\nTerminal Services: You cannot inherit handles across sessions. Additionally, if this parameter is TRUE, you must\r\ncreate the process in the same session as the caller.\r\nProtected Process Light (PPL) processes: The generic handle inheritance is blocked when a PPL process creates\r\na non-PPL process since PROCESS_DUP_HANDLE is not allowed from a non-PPL process to a PPL process.\r\nSee Process Security and Access Rights\r\nWindows 7: STD_INPUT_HANDLE, STD_OUTPUT_HANDLE, and STD_ERROR_HANDLE are inherited,\r\neven when the parameter is FALSE.\r\n[in] dwCreationFlags\r\nThe flags that control the priority class and the creation of the process. For a list of values, see Process Creation\r\nFlags.\r\nThis parameter also controls the new process's priority class, which is used to determine the scheduling priorities\r\nof the process's threads. For a list of values, see GetPriorityClass. If none of the priority class flags is specified,\r\nthe priority class defaults to NORMAL_PRIORITY_CLASS unless the priority class of the creating process is\r\nIDLE_PRIORITY_CLASS or BELOW_NORMAL_PRIORITY_CLASS. In this case, the child process\r\nreceives the default priority class of the calling process.\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa\r\nPage 3 of 8\n\nIf the dwCreationFlags parameter has a value of 0:\r\nThe process inherits both the error mode of the caller and the parent's console.\r\nThe environment block for the new process is assumed to contain ANSI characters (see lpEnvironment\r\nparameter for additional information).\r\nA 16-bit Windows-based application runs in a shared Virtual DOS machine (VDM).\r\n[in, optional] lpEnvironment\r\nA pointer to the environment block for the new process. If this parameter is NULL, the new process uses the\r\nenvironment of the calling process.\r\nAn environment block consists of a null-terminated block of null-terminated strings. Each string is in the\r\nfollowing form:\r\nname=value\\0\r\nBecause the equal sign is used as a separator, it must not be used in the name of an environment variable.\r\nAn environment block can contain either Unicode or ANSI characters. If the environment block pointed to by\r\nlpEnvironment contains Unicode characters, be sure that dwCreationFlags includes\r\nCREATE_UNICODE_ENVIRONMENT.\r\nThe ANSI version of this function, CreateProcessA fails if the total size of the environment block for the process\r\nexceeds 32,767 characters.\r\nNote that an ANSI environment block is terminated by two zero bytes: one for the last string, one more to\r\nterminate the block. A Unicode environment block is terminated by four zero bytes: two for the last string, two\r\nmore to terminate the block.\r\n[in, optional] lpCurrentDirectory\r\nThe full path to the current directory for the process. The string can also specify a UNC path.\r\nIf this parameter is NULL, the new process will have the same current drive and directory as the calling process.\r\n(This feature is provided primarily for shells that need to start an application and specify its initial drive and\r\nworking directory.)\r\n[in] lpStartupInfo\r\nA pointer to a STARTUPINFO or STARTUPINFOEX structure.\r\nTo set extended attributes, use a STARTUPINFOEX structure and specify\r\nEXTENDED_STARTUPINFO_PRESENT in the dwCreationFlags parameter.\r\nHandles in STARTUPINFO or STARTUPINFOEX must be closed with CloseHandle when they are no longer\r\nneeded.\r\nImportant\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa\r\nPage 4 of 8\n\nThe caller is responsible for ensuring that the standard handle fields in STARTUPINFO contain valid handle\r\nvalues. These fields are copied unchanged to the child process without validation, even when the dwFlags\r\nmember specifies STARTF_USESTDHANDLES. Incorrect values can cause the child process to misbehave or\r\ncrash. Use the Application Verifier runtime verification tool to detect invalid handles.\r\n[out] lpProcessInformation\r\nA pointer to a PROCESS_INFORMATION structure that receives identification information about the new\r\nprocess.\r\nHandles in PROCESS_INFORMATION must be closed with CloseHandle when they are no longer needed.\r\nIf the function succeeds, the return value is nonzero.\r\nIf the function fails, the return value is zero. To get extended error information, call GetLastError.\r\nNote that the function returns before the process has finished initialization. If a required DLL cannot be located or\r\nfails to initialize, the process is terminated. To get the termination status of a process, call GetExitCodeProcess.\r\nThe process is assigned a process identifier. The identifier is valid until the process terminates. It can be used to\r\nidentify the process, or specified in the OpenProcess function to open a handle to the process. The initial thread in\r\nthe process is also assigned a thread identifier. It can be specified in the OpenThread function to open a handle to\r\nthe thread. The identifier is valid until the thread terminates and can be used to uniquely identify the thread within\r\nthe system. These identifiers are returned in the PROCESS_INFORMATION structure.\r\nThe name of the executable in the command line that the operating system provides to a process is not necessarily\r\nidentical to that in the command line that the calling process gives to the CreateProcess function. The operating\r\nsystem may prepend a fully qualified path to an executable name that is provided without a fully qualified path.\r\nThe calling thread can use the WaitForInputIdle function to wait until the new process has finished its\r\ninitialization and is waiting for user input with no input pending. This can be useful for synchronization between\r\nparent and child processes, because CreateProcess returns without waiting for the new process to finish its\r\ninitialization. For example, the creating process would use WaitForInputIdle before trying to find a window\r\nassociated with the new process.\r\nThe preferred way to shut down a process is by using the ExitProcess function, because this function sends\r\nnotification of approaching termination to all DLLs attached to the process. Other means of shutting down a\r\nprocess do not notify the attached DLLs. Note that when a thread calls ExitProcess, other threads of the process\r\nare terminated without an opportunity to execute any additional code (including the thread termination code of\r\nattached DLLs). For more information, see Terminating a Process.\r\nA parent process can directly alter the environment variables of a child process during process creation. This is the\r\nonly situation when a process can directly change the environment settings of another process. For more\r\ninformation, see Changing Environment Variables.\r\nIf an application provides an environment block, the current directory information of the system drives is not\r\nautomatically propagated to the new process. For example, there is an environment variable named =C: whose\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa\r\nPage 5 of 8\n\nvalue is the current directory on drive C. An application must manually pass the current directory information to\r\nthe new process. To do so, the application must explicitly create these environment variable strings, sort them\r\nalphabetically (because the system uses a sorted environment), and put them into the environment block.\r\nTypically, they will go at the front of the environment block, due to the environment block sort order.\r\nOne way to obtain the current directory information for a drive X is to make the following call:\r\nGetFullPathName(\"X:\", ...) . That avoids an application having to scan the environment block. If the full path\r\nreturned is X:, there is no need to pass that value on as environment data, since the root directory is the default\r\ncurrent directory for drive X of a new process.\r\nWhen a process is created with CREATE_NEW_PROCESS_GROUP specified, an implicit call to\r\nSetConsoleCtrlHandler(NULL,TRUE) is made on behalf of the new process; this means that the new process has\r\nCTRL+C disabled. This lets shells handle CTRL+C themselves, and selectively pass that signal on to sub-processes. CTRL+BREAK is not disabled, and may be used to interrupt the process/process group.\r\nBy default, passing TRUE as the value of the bInheritHandles parameter causes all inheritable handles to be\r\ninherited by the new process. This can be problematic for applications which create processes from multiple\r\nthreads simultaneously yet desire each process to inherit different handles.\r\nApplications can use the UpdateProcThreadAttributeList function with the\r\nPROC_THREAD_ATTRIBUTE_HANDLE_LIST parameter to provide a list of handles to be inherited by a\r\nparticular process.\r\nThe first parameter, lpApplicationName, can be NULL, in which case the executable name must be in the white\r\nspace–delimited string pointed to by lpCommandLine. If the executable or path name has a space in it, there is a\r\nrisk that a different executable could be run because of the way the function parses spaces. The following example\r\nis dangerous because the function will attempt to run \"Program.exe\", if it exists, instead of \"MyApp.exe\".\r\n LPTSTR szCmdline = _tcsdup(TEXT(\"C:\\\\Program Files\\\\MyApp -L -S\"));\r\n CreateProcess(NULL, szCmdline, /* ... */);\r\nIf a malicious user were to create an application called \"Program.exe\" on a system, any program that incorrectly\r\ncalls CreateProcess using the Program Files directory will run this application instead of the intended application.\r\nTo avoid this problem, do not pass NULL for lpApplicationName. If you do pass NULL for lpApplicationName,\r\nuse quotation marks around the executable path in lpCommandLine, as shown in the example below.\r\n LPTSTR szCmdline[] = _tcsdup(TEXT(\"\\\"C:\\\\Program Files\\\\MyApp\\\" -L -S\"));\r\n CreateProcess(NULL, szCmdline, /*...*/);\r\nFor an example, see Creating Processes.\r\nNote\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa\r\nPage 6 of 8\n\nThe processthreadsapi.h header defines CreateProcess as an alias that automatically selects the ANSI or Unicode\r\nversion of this function based on the definition of the UNICODE preprocessor constant. Mixing usage of the\r\nencoding-neutral alias with code that is not encoding-neutral can lead to mismatches that result in compilation or\r\nruntime errors. For more information, see Conventions for Function Prototypes.\r\nRequirement Value\r\nMinimum\r\nsupported client\r\nWindows XP [desktop apps | UWP apps]\r\nMinimum\r\nsupported server\r\nWindows Server 2003 [desktop apps | UWP apps]\r\nTarget Platform Windows\r\nHeader\r\nprocessthreadsapi.h (include Windows.h on Windows Server 2003, Windows Vista,\r\nWindows 7, Windows Server 2008 Windows Server 2008 R2)\r\nLibrary Kernel32.lib\r\nDLL Kernel32.dll\r\nCloseHandle\r\nShellExecuteA\r\nCreateProcessAsUser\r\nCreateProcessWithLogonW\r\nExitProcess\r\nGetCommandLine\r\nGetEnvironmentStrings\r\nGetExitCodeProcess\r\nGetFullPathName\r\nGetStartupInfo\r\nOpenProcess\r\nPROCESS_INFORMATION\r\nProcess and Thread Functions\r\nProcesses\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa\r\nPage 7 of 8\n\nSECURITY_ATTRIBUTES\r\nSTARTUPINFO\r\nSTARTUPINFOEX\r\nSetErrorMode\r\nTerminateProcess\r\nWaitForInputIdle\r\nSource: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa"
	],
	"report_names": [
		"nf-processthreadsapi-createprocessa"
	],
	"threat_actors": [],
	"ts_created_at": 1775446672,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e80e3664e2702f1bedae9035a9a68c717ef114b2.pdf",
		"text": "https://archive.orkl.eu/e80e3664e2702f1bedae9035a9a68c717ef114b2.txt",
		"img": "https://archive.orkl.eu/e80e3664e2702f1bedae9035a9a68c717ef114b2.jpg"
	}
}