Muokkaa

Jaa


PsSetLoadImageNotifyRoutineEx function (ntddk.h)

The PsSetLoadImageNotifyRoutineEx routine registers a driver-supplied callback that is subsequently notified whenever an image (for example, a DLL or EXE) is loaded (or mapped into memory).

Syntax

NTSTATUS PsSetLoadImageNotifyRoutineEx(
  [in] PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine,
  [in] ULONG_PTR                  Flags
);

Parameters

[in] NotifyRoutine

A pointer to the caller-implemented PLOAD_IMAGE_NOTIFY_ROUTINE callback routine for load-image notifications.

[in] Flags

Supplies a bitmask of flags that control the callback function. Here are the possible values:

  • PS_IMAGE_NOTIFY_CONFLICTING_ARCHITECTURE indicates that the callback routine should be invoked for all potentially executable images, including images that have a different architecture from the native architecture of the operating system.

Return value

Return code Description
STATUS_SUCCESS
The callback was successfully registered.
STATUS_INVALID_PARAMETER_2
Invalid flag was supplied in Flags.
STATUS_INSUFFICIENT_RESOURCES
The routine failed allocate a callback block due to lack of resources.

Remarks

Highest-level system-profiling drivers can call PsSetLoadImageNotifyRoutineEx to set up their load-image notify routines (see PLOAD_IMAGE_NOTIFY_ROUTINE).

The maximum number of drivers that can be simultaneously registered to receive load-image notifications is 64. If the maximum number of load-image notify routines is already registered when a driver calls PsSetLoadImageNotifyRoutineEx to try to register an additional notify routine, PsSetLoadImageNotifyRoutineEx fails and returns STATUS_INSUFFICIENT_RESOURCES.

A driver must remove any callbacks it registers before it unloads. You can remove the callback by calling the PsRemoveLoadImageNotifyRoutine routine.

Requirements

Requirement Value
Minimum supported client Windows 10, version 1709
Minimum supported server Windows Server 2016
Target Platform Windows
Header ntddk.h
Library NtosKrnl.lib
DLL NtosKrnl.exe (kernel mode)
IRQL PASSIVE_LEVEL