0

I want for my callbackMethod() to run whenever a certain new external process is created.

I was looking at the WMI apis, I have read to some extent I can attach an event handler whenever a process is started.

I have looked at this answer: Is there a System event when processes are created? And Created this code:

public static void setupMonitor()
{
    ManagementEventWatcher startWatch = new ManagementEventWatcher(new 
          WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace"));
    startWatch.EventArrived += new EventArrivedEventHandler(callBack);
    startWatch.Start();
}

public static void callBack(object sender, EventArrivedEventArgs e)
{
    int id = Convert.ToInt32(e.NewEvent.Properties["ProcessID"].Value);        
    Process started = Process.GetProcessById(id);
}

How can I get the new process and assign it to a c# Process object?

What I want to know is does this method also send an event if a process created as 'suspended'?

Or do i have to use a different query

Thanks everyone

Community
  • 1
  • 1
Zeller33
  • 181
  • 2
  • 4
  • 16
  • `seen the windows API - Win32_ProcessStartTrace` - it is not WinAPI, it is a WMI class. `would importing Win32_ProcessStartTrace directly be more efficient` - you are already using it, what do you mean by `importing`? Also, have you taken a look at http://stackoverflow.com/questions/22131316/detect-windows-processes-start-and-exit-events-with-c-sharp-without-wmi – Eugene Podskal Jan 21 '17 at 20:04
  • You can get processname from that event and start Process.Start – Akash KC Jan 21 '17 at 20:05
  • @Zeller33 Also you are asking too many questions in one. You should concentrate on one thing at a time, otherwise the question loses it focus and becomes too broad. – Eugene Podskal Jan 21 '17 at 20:11
  • Sorry, I removed the first question, it may have been unclear. The last two are the important ones and @LolCoder, I don't want to start a new instance of the process – Zeller33 Jan 21 '17 at 20:39
  • Sorry people, I've answered parts of my own question, but I have one crucial question – Zeller33 Jan 21 '17 at 20:56
  • `What I want to know is does this method also send an event if a process created as 'suspended'?` - there seems to be no documentation on that account. You probably have to [create suspended process](http://stackoverflow.com/questions/22570591/how-to-create-suspended-process-from-c-sharp-without-p-invoke) and check whether it is detected or not. Obviously there is a risk that even if it works on one OS version, it may not work on older or newer version, but assuming that it is not a system critical application and that very few processes are started suspended it may be not an issue. – Eugene Podskal Jan 21 '17 at 21:52
  • @Eugene -> yes it does activate the callback on a 'suspended' process, but I have found that `Process.GetProcessById(id)` doesn't work when suspended??? Or am i doing something wrong – Zeller33 Jan 21 '17 at 22:31
  • @Zeller33 How exactly it doesn't work? – Eugene Podskal Jan 22 '17 at 09:31

0 Answers0