0

There is a very clear answer here on how to monitor processes. It works like a charm... except it must be run in elevated mode, which is a definite non-option for me in the context of my program.

What I need to do is basically monitor all new processes and compare them against a predetermined list. I would like to do this without simply using a stopwatch and polling for any new processes.

Does anyone know of an event that would be raised similar to the ManagementEventWatcher that doesn't require to be run as administrator?

Thanks!

Community
  • 1
  • 1
tmwoods
  • 2,353
  • 7
  • 28
  • 55
  • that'd be rather privileged information, and I highly doubt it'd be available to any standard user. "oh, look, user X is executing `chrome.exe http://furnitureporn.com`. oh MY...." – Marc B Aug 15 '16 at 21:20
  • This would only be for processes run by that particular user. Non-admins have access to the entire `Process` class, but for that you have to supply the name of the process to monitor in advance. I want to have a general event for all processes, then check the name after the fact. – tmwoods Aug 15 '16 at 21:23
  • @MarcB I'm at work so I won't but now I'm extremely curious if that is a working url... – tmwoods Aug 15 '16 at 21:27
  • 1
    it is, and it's hilariously semi-safe for work. it's literally pictures of various furniture in sex positions. the site's been around since the VERY early days of the web. – Marc B Aug 15 '16 at 21:44

2 Answers2

2

I had the same problem as OP but managed to use ManagementEventWatcher as non-admin by providing a specific query:

string queryString = "SELECT * FROM __InstanceCreationEvent WITHIN .025 WHERE TargetInstance ISA 'Win32_Process'";
ManagementEventWatcher managementEventWatcher = new ManagementEventWatcher(@"\\.\root\CIMV2", queryString);
managementEventWatcher.EventArrived += ProcessStartEventArrived;
managementEventWatcher.Start();

WITHIN is the timeframe to be notified in.

Stopping is done the same way but using __InstanceDeletionEvent

string queryString = "SELECT * FROM __InstanceDeletionEvent WITHIN .025 WHERE TargetInstance ISA 'Win32_Process'";
CodeBlue
  • 21
  • 2
0

You can get all working processes with Process.GetProcesses();, then you can iterate thought them and get their name and some info, but more advanced things do require elevated permissions.

Pau C
  • 773
  • 4
  • 20