[InUrFace]

I am developing a driver which notifies an application about processes being started and images being loaded. I encountered the following strange error on Win7, SP1:
When Windows calls my LoadImageNotifyRoutine (registered with PsSetLoadImageNotifyRoutine), it passes an invalid ProcessId. The ProcessId passed represents the parent process instead of the actual process in the case of an *.exe file being mapped. ProcessId is correct for all *.dll files mapped. Has anyone of you already encountered this bug?
I already checked PsGetCurrentProcessId and it represents the same parent process in case of an *.exe being mapped. It seems on Win10 this issue is fixed.
Got any clues or solutions?

[Vrtule]

Hello,

it seems that the EXE mapping is actually done by the parent process, hence the notification is called in the context of the thread that created the process. Possibly, the ProcessId argument is derived from the current thread context (I do not know, since I did not reverse the routine).

You can possibly solve the problem by using the PsSetCreateProcessNotifyRoutineEx to be informed when a new process is created. Except the process image file name and the command line, you also get a file object for its image file (which may be used to retrieve the file name in the native format).

Vrtule

[Brock]

If you're attempting to use Load Image notify routines as a source of tracking newly created processes you're better off using PsSetCreateProcessNotifyRoutine since it was designed for this purpose solely. About your issue you're experiencing with PsSetLoadImageNotifyRoutine, any section created and mapped with SEC_IMAGE and PAGE_EXECUTE_XxX will trigger any Load Image callback routines that are installed, it doesn't have to be a process creation but can also be normal file I/O operations and is the reason why Load Image routines aren't ideal for process tracking. As a test you can open Task Manager in Win7 SP1 and go to the Processes tab then create a process like Calculator from Explorer. You should see Task Manager mapping a section to the newly created process and the process id will be its (TaskMan's) process id despite the fact that it's not the parent at all and has nothing to do with Calculator's process spawn. If a process spawns a child process then it's normal to see the parent ID in the process ID field since again the mapping of the section is taking place in the parent's context at the time of the CreateProcess call invocation