PS_CP_EXECUTE_OPTIONS
PROC_THREAD_MITIGATION_POLICY
Input
Contains information on which mitigations (SEHOP, ATL Emulation, NX) should be enabled/disabled for the process.
Once these steps are completed, CreateProcess performs the initial call to NtCreateUserProcess to attempt creation of the process. Because Kernel32.dll has no idea at this point whether the application image name is a real Windows application or a POSIX, 16-bit, or DOS application, the call might fail—at which point, CreateProcess looks at the error reason and attempts to correct the situation.
Stage 2: Opening the Image to Be Executed
As illustrated in Figure 5-7, the first stage in NtCreateUserProcess is to find the appropriate Windows image that will run the executable file specified by the caller and to create a section object to later map it into the address space of the new process. If the call failed for any reason, it returns to CreateProcess with a failure state (see Table 5-2) that causes CreateProcess to attempt execution again.
If the executable file specified is a Windows .exe, NtCreateUserProcess tries to open the file and create a section object for it. The object isn’t mapped into memory yet, but it is opened. Just because a section object has been successfully created doesn’t mean that the file is a valid Windows image, however; it could be a DLL or a POSIX executable. If the file is a POSIX executable, the image to be run changes to Posix.exe, and CreateProcess restarts from the beginning of Stage 1. If the file is a DLL, CreateProcess fails.
Now that NtCreateUserProcess has found a valid Windows executable image, as part of the process creation code described in Stage 3 it looks in the registry under HKLM\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Image File Execution Options to see whether a subkey with the file name and extension of the executable image (but without the directory and path information—for example, Image.exe) exists there. If it does, PspAllocateProcess looks for a value named Debugger for that key. If this value is present, the image to be run becomes the string in that value and CreateProcess restarts at Stage 1.
Tip
You can take advantage of this process creation behavior and debug the startup code of Windows services processes before they start rather than attach the debugger after starting a service, which doesn’t allow you to debug the startup code.
On the other hand, if the image is not a Windows .exe (for example, if it’s an MS-DOS, a Win16, or a POSIX application), CreateProcess goes through a series of steps to find a Windows support image to run it. This process is necessary because non-Windows applications aren’t run directly—Windows instead uses one of a few special support images that, in turn, are responsible for actually running the non-Windows program. For example, if you attempt to run a POSIX application, CreateProcess identifies it as such and changes the image to be run to the Windows executable file Posix.exe. If you attempt to run an MS-DOS or a Win16 executable, the image to be run becomes the Windows executable Ntvdm.exe. In short, you can’t directly create a process that is not a Windows process. If Windows can’t find a way to resolve the activated image as a Windows process (as shown in Table 5-2), CreateProcess fails.
Figure 5-7. Choosing a Windows image to activate
Table 5-2. Decision Tree for Stage 1 of CreateProcess
If the Image . . .
Create State Code
This Image Will Run . . .
. . . and This Will Happen
Is a POSIX executable file
PsCreateSuccess
Posix.exe
CreateProcess restarts Stage 1.
Is an MS-DOS application with an .exe, .com, or .pif extension
PsCreateFailOnSectionCreate
Ntvdm.exe
CreateProcess restarts Stage 1.
Is a Win16 application
PsCreateFailOnSectionCreate
Ntvdm.exe
CreateProcess restarts Stage 1.
Is a Win64 application on a 32-bit system (or a PPC, MIPS, or Alpha Binary)
PsCreateFailMachineMismatch
N/A
CreateProcess will fail.
Has a Debugger key with another image name
PsCreateFailExeName
Name specified in the Debugger key
CreateProcess restarts Stage 1.
Is an invalid or damaged Windows EXE
PsCreateFailExeFormat
N/A
CreateProcess will fail.
Cannot be opened
PsCreateFailOnFileOpen
N/A
CreateProcess will fail.
Is a command procedure (application with a .bat or .cmd extension)
PsCreateFailOnSectionCreate
Cmd.exe
