Windows Kernel Documentation

Overview

The Windows kernel provides a set of APIs and mechanisms to create and initialize a new process. Core functions include CreateProcess, NtCreateProcess, and the associated object manager structures.

Key Functions

• CreateProcessW – High‑level user‑mode API that creates a new process and its primary thread.
• NtCreateUserProcess – Internal kernel routine invoked by the system call layer.
• RtlCreateUserThread – Creates a thread within an existing process.
• PsCreateSystemProcess – Used by the kernel to spawn system processes.

Typical Workflow

1. Validate and prepare the RTL_USER_PROCESS_PARAMETERS structure.
2. Allocate a new EPROCESS object via NtCreateProcess.
3. Map the executable image and initialize the primary thread.
4. Set up the initial environment block and command line.
5. Transition the process to the Ready state and schedule the primary thread.

Sample Code (C++)

#include <windows.h>
int wmain(int argc, wchar_t* argv[])
{
    STARTUPINFOW si = { sizeof(si) };
    PROCESS_INFORMATION pi;
    if (!CreateProcessW(L"C:\\Windows\\System32\\notepad.exe",
                        NULL, NULL, NULL, FALSE,
                        0, NULL, NULL, &si, &pi))
    {
        wprintf(L"CreateProcess failed: %lu\n", GetLastError());
        return 1;
    }
    WaitForSingleObject(pi.hProcess, INFINITE);
    CloseHandle(pi.hThread);
    CloseHandle(pi.hProcess);
    return 0;
}
Copy

Related Topics

• Process Termination
• Thread Creation and Management
• Memory Allocation
• Process Security