1

I'm trying to monitor every process when it starts on my machine.

Monitoring processes after they started is no problem with this class:

class ProcessHelper
{
    ManagementEventWatcher processListener;
    public ProcessHelper()
    {
        processListener = new ManagementEventWatcher(new WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace"));
        processListener.EventArrived += new EventArrivedEventHandler(ProcessListener_ProcessStarted);
        processListener.Start();
    }

    PropertyDataCollection.PropertyDataEnumerator propEnum;
    private void ProcessListener_ProcessStarted(object sender, EventArrivedEventArgs e)
    {
        propEnum = e.NewEvent.Properties.GetEnumerator();

        while(propEnum.MoveNext())
        {
            //DoMyStuff
        }
    }

    public void stopListener()
    {
        processListener.Stop();
    }
}

But I want to do this before the process starts, and interrupt its start.

What my goal is: I want to get notified when a process starts. I will also need its full filepath. Then i want to interrupt the start. (Lets call it "freeze" the process)

When the process is frozen, i want to do some checks, and after these kill it or let it start.

//EDIT

I think i found out how to freeze processes, in this thread.

So i "just" need to know how i can get notified when a process starts, to instant freeze it.

Its no problem to use C/C++ librarys.

I want to develop the application with .NET Framewok 2.0 - 4.0

Does anyone know if (and how) this is possible in C#?

Community
  • 1
  • 1
Eispala
  • 21
  • 3
  • 2
    If you want to reliably be able to stop the process before it executes a single instruction you will need to use a custom driver. Basically you are writing the same kind of logic a antivirus does, so just follow a "[write your own antivirus tutorial](http://www.adlice.com/making-an-antivirus-engine-the-guidelines/)" Your WMI approach kina works but the executable has time to run a short while before your code suspends it. – Scott Chamberlain Mar 30 '16 at 06:46
  • Yes WMI is too slow, because the process is able to start up. Thanks for the link. I think thats all i need for the beginning. Time to get into C++ anyway. – Eispala Mar 30 '16 at 09:05

1 Answers1

2

If you want to reliably be able to stop the process before it executes a single instruction you will need to use a custom driver. Basically you are writing the same kind of logic a antivirus does, so just follow a "write your own antivirus tutorial"

Your WMI approach kina works but the executable has time to run a short while before your code suspends it. The driver will pretty much do the same logic but will be using process hooks so it is allowed to execute its code before the process is allowed to start.

Scott Chamberlain
  • 124,994
  • 33
  • 282
  • 431