Process Creation Listener

  • Thread starter Thread starter JMWilton
  • Start date Start date
J

JMWilton

I know that you can use WMI to detect when new processes are created...and
that you use the System.Management namespace.
Is there any way to do this without going through the "overhead" of WMI?
Can this be gotten by using the System.Diagnostics.Performance... classes?
 
I suppose that you could use the System.Diagnostics.PerformanceCounter class
to monitor the Process counter and poll the processes that are there every
so often to see if they have changed on a thread. Doesn't sound like it
would be more efficient, but I haven't compared the two. If you write it,
let us know how they faired.

Mitch Ruebush
Microsoft Regional Director -
http://www.microsoftregionaldirectors.com
Visual Developer - .NET MVP -
Architect | Evangelist | Teacher
Online Consulting, Inc. - http://www.onlc.com
MCSD, MCAD, MCDBA, MCSE, MCT
 
Does WMI use a polling technique?
Is there anyway to "hook" the CreateProcess call?
Is there anyway to get an event when a performance counter changes value?
 
I see if anybody else knows of a better way, but WMI is not all that slow
and that is the only way that I know to register for events. These are
accessed through a System.Management.WQLEventQuery that is associated with a
System.Management.ManagementEventWatcher
Counters are just values, very lightweight, WMI is the infrastructure that
does what you are asking, creating the ability to attach events to the
counters.

You could write your own process factory and make you own event for creating
processes and then launch the Process using the System.Diagnostics.Process
object, but that would only work on your program's processes.

Otherwise Windows launches the processes and I don't think there is an event
in the Win32 api, I will look later though...

The examples I have seen all use some kind of polling to do this (for
example creating a simple Task Manager and being able to update the process
list, this is done on threads).

Mitch
 
The "WMI Kernel Trace Event Provider" (XP and higher) is a high performance
provider exposing Win32_ProcessStartTrace, Win32_ProcessStopTrace,
Win32_ThreaStartTrace, Win32_ThreadStopTrace events is superfast and
provides a new scope for monitoring process related resources.

Willy.
 
Back
Top