Using WMI's ManagementEventWatcher/EventArrivedEventHandler will result in creating another thread which I'm trying to avoid. WMI also is knowing for its delay.
So my question is : how can I detect Windows process creation/termination with C# without WMI ? is there a way to do this from unmanaged code ?
Asked
Active
Viewed 3,136 times
4
JohnTube
- 1,782
- 27
- 46
-
@DavidHeffernan here's my question. – JohnTube Mar 02 '14 at 18:13
-
You might want to re-evaluate you software design if unusual requirements like that arise. – sa.he Mar 20 '14 at 20:01
-
Are you looking to do this for all processes starting/exiting on a machine, or for one process specifically? – aevitas Mar 24 '14 at 15:37
-
All processes yes...precisely (futile) : all processes of one user (all processes in a Windows session except those running under "SYSTEM" account) – JohnTube Mar 24 '14 at 16:09
2 Answers
3
You can use Event Tracing for Windows (ETW). Specifically, you want to look at subclasses of the Process class in the kernel event tracer.
I haven't ever used this from managed code, but this blog post looks useful.
And I don't know if this creates extra threads in your process.
In summary, you don't need WMI to monitor process events. You can use ETW instead but I don't know if it exactly meets your requirements.
arx
- 16,686
- 2
- 44
- 61
-
Thank you for your answer but I don't need extra configuration, I want to do this using code only. I know it's my fault that this isn't explicitly mentioned in the question. – JohnTube Mar 27 '14 at 09:55
2
To the best of my knowledge, the only supported way to subscribe to process create/destroy events is through WMI. I think you are rejecting the option of polling, in which case it is either WMI, or bust.
David Heffernan
- 601,492
- 42
- 1,072
- 1,490
-
should I ask another question to solve my original problem : how to "create and communicate" with a thread responsible for calling SetWinEventHook, having a message pump/loop and receiving callbacks, in c# ? – JohnTube Mar 02 '14 at 20:57
-
I'm sorry, I don't really understand that, and I can't see how it is related to this question. If you want to ask a different question, why did you ask this one? I don't really understand. – David Heffernan Mar 02 '14 at 20:59
-
this was my [original question](http://stackoverflow.com/questions/22081803/force-setwineventthread-to-be-called-from-main-thread?noredirect=1#comment33547420_22081803) remember, my problem is related to this "For out-of-context events, the event is delivered on **the same thread** that called SetWinEventHook." – JohnTube Mar 02 '14 at 21:01
-
maybe I can call [GetProcessTimes()](http://msdn.microsoft.com/en-us/library/windows/desktop/ms683223%28v=vs.85%29.aspx) just after a process exits ([Process.WaitForExit()](http://msdn.microsoft.com/en-us/library/fb4aw7b8%28v=vs.90%29.aspx)) ? – JohnTube Apr 21 '14 at 19:26