PsSetCreateProcessNotifyRoutine or equivalent

Jun 16, 2014 at 4:01 PM
Could someone help me hook PsSetCreateProcessNotifyRoutine? I want to basically monitor process creation in C# without polling WMI by either using this method "PsSetCreateProcessNotifyRoutine" or an equivalent that would work better.
Jun 16, 2014 at 5:13 PM
Edited Jun 16, 2014 at 5:13 PM
So something like this but in C#:
#include <ntddk.h>

void ProcessCallback(IN HANDLE hParentId, IN HANDLE hProcessId, IN BOOLEAN bCreate)
    if (bCreate)

        DbgPrint("Process %d created \n", hProcessId);


        DbgPrint("Process %d terminated \n", hProcessId);


void DriverUnload(PDRIVER_OBJECT pDriverObject)

    PsSetCreateProcessNotifyRoutine(ProcessCallback, TRUE);
    DbgPrint("Driver unloading\n");


extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
    DbgPrint("Driver loaded... \n");
    PsSetCreateProcessNotifyRoutine(&ProcessCallback, FALSE);
    DriverObject->DriverUnload = DriverUnload;
    return STATUS_SUCCESS;