There are several ways to do this. If you only need to track the creation of a process coming from a specific program (or several programs), the EasyHook / Detours method described here will work very well, but you really need to set the hook to CreateProcess in each program, so this is not a great solution if you want to track all the processes in the system.
To do this, there is a specific API for NT versions of Windows (NT / 2000 / XP / Vista) called PsSetCreateProcessNotifyRoutine (). Unfortunately, this function can only be called from ring0, so it needs to be done in the driver. This CodeProject article has a convenient explanation (and code): http://www.codeproject.com/KB/threads/procmon.aspx .
AFAIK, this is just a notification and in itself does not allow you to tell the system whether the process should be created or not. However, if you need to do this, you can pause the process (for example, by binding it to the debugger), while your code decides whether to kill it or not.
Darthpingu
source share