Hi
I want to get a notification each time a new process is started by the operating system.
Note that I need to that in native code (I know it can be done in managed code using System.Management members).
Extra points if there is a way to get it before the process starts running :) (i.e in during its initialization)
Thanks.
You cannot control process creation or register a callback from user space. Maybe this article can help. "Hooking the native API and controlling process creation on a system-wide basis"
To just register a callback, you can use PsSetCreateProcessNotifyRoutine available in MS DDK. Its usage with example can be found in www.codeproject.com/KB/threads/procmon.aspx
The problem with using a driver is that you will require permission to install it, but otherwise I think is the safest method.
In user space you can try to create a window hook which will work if such application uses a windows, but is otherwise quite obnoxious.
On the other hand you can try to use WMI, which is the underlying technology used in C#. You can look for pointers in this anwers and this examples.
A real-time ETW trace will give you this information with low system overhead. Note that this will not let you hook process creation (i.e. it will only be a notification, you cannot control whether or not the process actually gets started)