How to get notification when a new process is started
in [Win32 Kernel]
|
Prev: Determining how many instances of an app are running
Next: WaitForSingleObject() and Process termination,...
From: Bob Altman on 15 Feb 2010 20:08 Hi all, I want to write a program that performs some action if any of a user-specified list of programs are running. Rather than periodically testing to see if any of the user-specified programs are running, I'd like to ask Windows to give me a notification when a process is created so that I can simply check to see if its program is one I care about. Is there a way to do this? FYI, I'm writing this program in .net, but I couldn't find anything in the Process class that does this so I assume I'll need to call into the Windows API to do it... TIA - Bob
From: Don Burn on 15 Feb 2010 20:16 AFAIK the only approved way to do this requires a kernel mode driver and use of PsSetCreateProcessNotification. Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr "Bob Altman" <rda(a)nospam.nospam> wrote in message news:3B6E064E-2453-402C-8052-1913FD991A43(a)microsoft.com: > Hi all, > > I want to write a program that performs some action if any of a > user-specified list of programs are running. Rather than periodically > testing to see if any of the user-specified programs are running, I'd like to > ask Windows to give me a notification when a process is created so that I can > simply check to see if its program is one I care about. Is there a way to do > this? > > FYI, I'm writing this program in .net, but I couldn't find anything in the > Process class that does this so I assume I'll need to call into the Windows > API to do it... > > TIA - Bob __________ Information from ESET Smart Security, version of virus signature database 4869 (20100215) __________ The message was checked by ESET Smart Security. http://www.eset.com
From: Mikep on 15 Feb 2010 21:15 You can also use WMI (Windows Management Interface) Events. Google up 'Win32_ProcessStartTrace Class'. It's gruesome, but it does run in userland. Mike P "Don Burn" <burn(a)stopspam.windrvr.com> wrote in message news:%23ZYJlWqrKHA.5036(a)TK2MSFTNGP02.phx.gbl... > AFAIK the only approved way to do this requires a kernel mode driver and > use of PsSetCreateProcessNotification. > > > Don Burn (MVP, Windows DKD) > Windows Filesystem and Driver Consulting > Website: http://www.windrvr.com > Blog: http://msmvps.com/blogs/WinDrvr > > > > "Bob Altman" <rda(a)nospam.nospam> wrote in message > news:3B6E064E-2453-402C-8052-1913FD991A43(a)microsoft.com: > >> Hi all, >> >> I want to write a program that performs some action if any of a >> user-specified list of programs are running. Rather than periodically >> testing to see if any of the user-specified programs are running, I'd >> like to >> ask Windows to give me a notification when a process is created so that I >> can >> simply check to see if its program is one I care about. Is there a way >> to do >> this? >> >> FYI, I'm writing this program in .net, but I couldn't find anything in >> the >> Process class that does this so I assume I'll need to call into the >> Windows >> API to do it... >> >> TIA - Bob > > > __________ Information from ESET Smart Security, version of virus > signature database 4869 (20100215) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > >
From: "Jialiang Ge [MSFT]" on 16 Feb 2010 02:51 Hello Bob Here is a process watcher class in .NET http://weblogs.asp.net/whaggard/archive/2006/02/11/438006.aspx It uses WMI to monitor the creation, deletion, modification of processes. Regards, Jialiang Ge Microsoft Online Community Support ================================================= This posting is provided "AS IS" with no warranties, and confers no rights. =================================================
From: Bob Altman on 16 Feb 2010 13:50
> Here is a process watcher class in .NET > http://weblogs.asp.net/whaggard/archive/2006/02/11/438006.aspx > It uses WMI to monitor the creation, deletion, modification of processes. Thanks Jialiang. That's just what I'm looking for. Bob |