解决方法
最初为所有正在运行的进程确定创建时间.然后
使用WMI注册进程创建事件.
使用WMI注册进程创建事件.
有关如何将WMI用于流程创建事件的小示例,请参阅下面的代码:
static void Main(string[] args)
{
using (ManagementEventWatcher eventWatcher =
new ManagementEventWatcher(@"SELECT * FROM
__InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"))
{
// Subscribe for process creation notification.
eventWatcher.EventArrived += Processstarted_EventArrived;
eventWatcher.Start();
Console.In.ReadLine();
eventWatcher.EventArrived -= Processstarted_EventArrived;
eventWatcher.Stop();
}
}
static void Processstarted_EventArrived(object sender,EventArrivedEventArgs e)
{
ManagementBaSEObject obj = e.NewEvent["TargetInstance"] as ManagementBaSEObject;
// The Win32_Process class also contains a CreationDate property.
Console.Out.WriteLine("ProcessName: {0} " + obj.Properties["Name"].Value);
}
开始编辑:
我进一步研究了使用WMI进行流程创建检测,并且使用Win32_ProcessstartTrace类有一个(更多)资源友好解决方案(但需要管理权限)(有关详细信息,请参阅TECHNET):
using (ManagementEventWatcher eventWatcher =
new ManagementEventWatcher(@"SELECT * FROM Win32_ProcessstartTrace"))
{
// Subscribe for process creation notification.
eventWatcher.EventArrived += Processstarted_EventArrived;
eventWatcher.Start();
Console.Out.WriteLine("started");
Console.In.ReadLine();
eventWatcher.EventArrived -= Processstarted_EventArrived;
eventWatcher.Stop();
}
static void Processstarted_EventArrived(object sender,EventArrivedEventArgs e)
{
Console.Out.WriteLine("ProcessName: {0} "
+ e.NewEvent.Properties["ProcessName"].Value);
}
在此解决方案中,您不必设置轮询间隔.
结束编辑
开始编辑2:
您可以使用Win32_ProcessstopTrace类来监视进程停止事件.要结合进程启动和进程停止事件,请使用Win32_Processtrace类.在事件处理程序中使用Classpath proberty来区分启动/停止事件:
using (ManagementEventWatcher eventWatcher =
new ManagementEventWatcher(@"SELECT * FROM Win32_Processtrace"))
{
eventWatcher.EventArrived += Process_EventArrived;
eventWatcher.Start();
Console.Out.WriteLine("started");
Console.In.ReadLine();
eventWatcher.EventArrived -= Process_EventArrived;
eventWatcher.Stop();
}
static void Process_EventArrived(object sender,EventArrivedEventArgs e)
{
Console.Out.WriteLine(e.NewEvent.Classpath); // Use class path to distinguish
// between start/stop process events.
Console.Out.WriteLine("ProcessName: {0} "
+ e.NewEvent.Properties["ProcessName"].Value);
}
结束编辑2
