[Carlbyte]

I'm thinking about how to monitor drivers being loaded and Windows services being loaded, I will use something like pssetloadimagenotifyroutine. Came the question. What is the difference between an process and a Windows service? If I understand a service is a process where the parent is services.exe, it would be an incorrect statement?

To monitor drivers and services, pssetLoadImagenotify routine is the best option?

[Vrtule]

What is the difference between an process and a Windows service? If I understand a service is a process where the parent is services.exe, it would be an incorrect statement?

Multiple services may share one process (they are then loaded as a kind of DLLs).

Your approach, however, should work quite well if you want to detect service start. It does not tell you about service stop/create/delete etc. You should combine it with other approaches (e.g. to determine whether a loaded image is a service binary or just a DLL).

[Carlbyte]

Multiple services may share one process (they are then loaded as a kind of DLLs).

Dlls which are modules of the process whose parent is services.exe. right? I am trying to register "FsRtlRegisterFileSystemFilterCallbacks" instead of pssetloadimagenotifyroutine, but the callback does not starting. This callback requires something more than call the functions that initiate the callback?

...
RtlZeroMemory( &FilterCallbacks, sizeof(FS_FILTER_CALLBACKS) );

FilterCallbacks.SizeOfFsFilterCallbacks = sizeof(FS_FILTER_CALLBACKS);
FilterCallbacks.PreAcquireForSectionSynchronization = CdFilterCallbackAcquireForCreateSection;

Status = FsRtlRegisterFileSystemFilterCallbacks( DriverObject, &FilterCallbacks );

[Vrtule]

Yes, you need to attach above a filesystem instance you wish to monitor. I am not sure whether this approach will prove to be better than the PsLoadImageNotify callback.

[Carlbyte]

you need to attach above a filesystem instance...

What is the simplest way to do? I tried searching on the Internet, but it was unclear ...

The idea "test", is to block the file to prevent the service work!

[Microwave89]

Regarding Services: See Windows Internals 6, Part 1, "Services".
Not all services must have a DLL, only those with "shared" type.
Own services are just of an exe with a special main, "SvcMain" iirc.

Kind regards,

Microwave89

[kerpow1]

You could also parse the USN and Event Log.