3

TL;DR

I have written a program in C++ to close all "new" programs that start that were not running when my program started. Currently I do this by capturing all PIDs and then constantly checking all registered applications against this list. Those who are not on my list I attempt to close/kill. This is very CPU intensive for such a simple task. Is there a way to receive some sort of windows event so I don't need to have a very active thread?

I found this hook which might do what I need it to do, but it kind of seems geared towards other purposes, not quite what I need.

In a nutshell:

Is there a event I can receive from windows right after/before a process launches?

SneakyTactician2
  • 87
  • 10

1 Answers1

4

Ideally you would do this in user-mode and without polling and the only thing I can think of that comes close is WMI events.

A C++ example can be found here. You might also want to read about the differences between __InstanceCreationEvent and Win32_ProcessStartTrace.

Anders
  • 97,548
  • 12
  • 110
  • 164
  • *without polling* - but how this WMI events internally implemented ? i mean how wmi itself got notification about process start/stop ? if exist some user mode api for this(without polling) we can direct call it yourself, without wmi and rpc. if wmi do polling yourself - this nonsense use - can and poll direct without wmi – RbMm Nov 07 '17 at 01:05
  • 1
    I would assume WMI does not poll but uses PsSetCreateProcessNotifyRoutine or ETW. I don't know why there is no simple user-mode API that does the same thing. – Anders Nov 07 '17 at 02:21
  • 1
    According to https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf WMI extrinsic events like Win32_ ProcessStartTrace do not poll. – Anders Nov 07 '17 at 02:43
  • 1
    yes, you right. wmi use `krnlprov.dll` here which got events from kernel via ETW on *Microsoft-Windows-Kernel-Process* (`{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}`) provider – RbMm Nov 07 '17 at 12:42