I believe what you are looking for is a trigger that fires whenever a process is started... you need to run it in the NT kernel - the easiest method to do so is to write a device driver for this.