|
|
|
PsSetCreateThreadNotifyRoutine registers a driver-supplied callback that is subsequently notified when a new thread is created and when such a thread is deleted.
NTSTATUS
PsSetCreateThreadNotifyRoutine(
IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
);
ntddk.h
PsSetCreateThreadNotifyRoutine either returns STATUS_SUCCESS or it returns STATUS_INSUFFICIENT_RESOURCES if it failed the callback registration.
Highest-level drivers can call PsSetCreateThreadNotifyRoutine to set up their thread-creation notify routines, declared as follows:
VOID
(*PCREATE_THREAD_NOTIFY_ROUTINE) (
IN HANDLE ProcessId,
IN HANDLE ThreadId,
IN BOOLEAN Create
);
For example, an IFS or highest-level system-profiling driver might register such a thread-creation callback to track the system-wide creation and deletion of threads against the driver's internal state. The system registers up to eight such thread-creation callbacks. Any driver that successfully registers such a callback must remain loaded until the system itself is shut down.
After such a driver-supplied thread-creation routine is registered, it is called with Create set to TRUE whenever a new thread is created. The input ThreadId handle identifies the newly created thread. The input ProcessId handle identifies the process in which the given thread was just created. As each such thread is deleted, such a driver's thread-notify routine is called again with Create set to FALSE.
When it is called, the driver's thread-creation notify routine runs at IRQL PASSIVE_LEVEL either in the context of the newly created thread or in the context of the exiting thread.
Callers of PsSetCreateThreadNotifyRoutine must be running at IRQL PASSIVE_LEVEL.
PsGetCurrentProcessId, PsGetCurrentThreadId, PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine