Capturing processes

S

SLE

Hi there,

I am writing a service which monitors processes on the local machine.
Currently I have implemented a System.Management.ManagementEventWatcher
which raises events for processes being launched:

New WqlEventQuery("SELECT * FROM __InstanceCreationEvent WITHIN 0.1
WHERE TargetInstance ISA 'Win32_Process'")

So far so good but I need additional information (e.g. window title)
which I'm getting via the System.Diagnostics.Process:

p = Process.GetProcessById(pid)

....

windowTitle = p.MainWindowTitle


Problems occur when a lot of (concurrent) processes are launched in a
*short* period of time:

1) There is no WMI event for some processes (some events seem to be sunk)
2) When the WMI event comes in, the process might already been
terminated so the subsequent GetProcessById() fails.

Question:

Can I avoid WMI for having an event-driven model? Is there a *fast*,
event-driven way to detect processes being started/stopped?
 
K

Ken Tucker [MVP]

Hi,

Windows hooks
http://msdn.microsoft.com/msdnmag/issues/02/10/CuttingEdge/


Ken
--------------------------
Hi there,

I am writing a service which monitors processes on the local machine.
Currently I have implemented a System.Management.ManagementEventWatcher
which raises events for processes being launched:

New WqlEventQuery("SELECT * FROM __InstanceCreationEvent WITHIN 0.1
WHERE TargetInstance ISA 'Win32_Process'")

So far so good but I need additional information (e.g. window title)
which I'm getting via the System.Diagnostics.Process:

p = Process.GetProcessById(pid)

....

windowTitle = p.MainWindowTitle


Problems occur when a lot of (concurrent) processes are launched in a
*short* period of time:

1) There is no WMI event for some processes (some events seem to be sunk)
2) When the WMI event comes in, the process might already been
terminated so the subsequent GetProcessById() fails.

Question:

Can I avoid WMI for having an event-driven model? Is there a *fast*,
event-driven way to detect processes being started/stopped?
 
S

SLE

Ken said:
Hi,

Windows hooks
http://msdn.microsoft.com/msdnmag/issues/02/10/CuttingEdge/


Ken
--------------------------
Hi there,

I am writing a service which monitors processes on the local machine.
Currently I have implemented a System.Management.ManagementEventWatcher
which raises events for processes being launched:

New WqlEventQuery("SELECT * FROM __InstanceCreationEvent WITHIN 0.1
WHERE TargetInstance ISA 'Win32_Process'")

So far so good but I need additional information (e.g. window title)
which I'm getting via the System.Diagnostics.Process:

p = Process.GetProcessById(pid)

...

windowTitle = p.MainWindowTitle


Problems occur when a lot of (concurrent) processes are launched in a
*short* period of time:

1) There is no WMI event for some processes (some events seem to be sunk)
2) When the WMI event comes in, the process might already been
terminated so the subsequent GetProcessById() fails.

Question:

Can I avoid WMI for having an event-driven model? Is there a *fast*,
event-driven way to detect processes being started/stopped?
Click to expand...

Ken,

Thanks but looking into hooks as an alternative for WMI, I already ran
into that article. It describes local hooks; I would need a system wide
hook.

Problem is that implementing such system wide hooks (aka global hooks)
with "pure" .NET is no sinecure if not impossible.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

how to get the process owner after querying WMI ? 2
WMI event on IP address changed 0
Issue with enabling WMI for non-admin users 0
sd card detection(Win32_PhysicalMedia) 0
Remote Process Execution in vb.net 3
Using ManagementEventWatcher and Win32_NTLogEvent 0
WMI Win32_PrintJob and windows service 0
problem with wmi 6

Top