Hook WIN11: NtCreateUserProcess hook not enter!

microsoft / Detours

Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.

MIT License

5.01k stars 979 forks source link

Hook WIN11: NtCreateUserProcess hook not enter! #219

Closed wzwangyike closed 2 years ago

wzwangyike commented 2 years ago

Describe the bug i hooked NtCreateUserProcess at win11 explorer.exe. when i doudle click file to open. it not enter this API hook.(like notepad)
i use promon to look the stack. it will call ZwCreateUserProcess,it same as early windows system.
but i use my explorer addin to createprocess. it will enter hook API. it looks hook is ok, but some thread cannot hook it ?

bgianfo commented 2 years ago

Did you figure it out? 😄

wzwangyike commented 2 years ago

Did you figure it out? 😄

en..it's RPC call, not in explorer to createprocess. but the parent is set to explorer.