12

Hey there, Is there a way to raise event when a new process is started without using the ManagementEventWatcher, and without using the Process.GetProcesses()? The problem with ManagementEventWatcher is that the user needs to have high premmisions. Thank you!!!

user604627
  • 121
  • 1
  • 3
  • 3
    Instead of attempting to circumvent the security model, how about telling us what problem you are actually trying to solve? There may be a better overall approach that you haven't thought of. – Ed S. Feb 05 '11 at 18:59
  • I'm creating a game (Treasure Hunt) that use windows for the playground so, when I open a new notepad or calc I will send hints to the process.. so I need to raise event when the next process starts so i can send the hints for the treasure.... i hope you get it.... – user604627 Feb 05 '11 at 19:06
  • Have you tried `ManagementEventWatcher`? I don't see anything in the docs that says it needs high permissions, although I'll admit that I haven't tried it on a very restricted user account. – Jim Mischel Feb 05 '11 at 19:24
  • 1
    Yes I tryed that: startWatch = new ManagementEventWatcher(new WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace")); startWatch.EventArrived += new EventArrivedEventHandler(startWatch_EventArrived); startWatch.Start(); after the startWatch.Start(); line the exception is thrown[Access is denied], but when I open as administrator everything is fine – user604627 Feb 05 '11 at 19:32
  • Does the game start the processes itself? – Peter Ritchie Aug 12 '12 at 22:31
  • How much granularity do you need? That is, how soon after the process begins do you need the event to be raised? – Michael Graczyk Aug 13 '12 at 00:06
  • What a terrible playground for a game world, good luck trying to make it work! :) – invert Aug 17 '12 at 11:33
  • Thank you for the responses but looks like the original asker of this question is not active anymore. I have awarded my bounty to Jeremy's answer below. – Satyajit Aug 19 '12 at 05:40

4 Answers4

10

Unlike the extrinsic event Win32_ProcessStartTrace that you are currently using, the __InstanceCreationEvent and __InstanceDeletionEvent WMI intrinsic events do not require administrator rights.

Here's a sample query you can use to track process starts:

SELECT TargetInstance 
  FROM __InstanceCreationEvent WITHIN 1 
 WHERE TargetInstance ISA 'Win32_Process' 
   AND TargetInstance.Name LIKE '<your process name.exe>'

Further info: Process Information and Notifications using WMI

Because these are intrinsic events, WMI ultimately mimics event behaviour by means of polling, and will check for new events only periodically (here, every 1 second). Decreasing the WITHIN duration to fractions of seconds will give you faster response at the expense of CPU usage.

Tommy Grovnes
  • 4,126
  • 2
  • 25
  • 40
Satyajit
  • 523
  • 4
  • 17
  • 8
    You should note that a very short polling interval (e.g. 0.1s) can eat up up to 30% of CPU not in your process but WmiPrvSE.exe which does the actual polling. Just in case if you wonder why not your process is taking suddenly so much CPU but one system process. – Alois Kraus Aug 12 '12 at 23:54
1

It should be possible to figure out when an application was last run by configuring audit process tracking in Windows. The following links might get you started:

Audit process tracking

How can I track what programs come and go on my machine?

The process tracking will create entries in the Windows event log which you can then access using C#.

Ref: .NET Process Monitor

Community
  • 1
  • 1
Jeremy Thompson
  • 61,933
  • 36
  • 195
  • 321
  • This makes sense, and I can then subscribe to the event log updates without having to poll... http://msdn.microsoft.com/en-us/library/bb671202(v=vs.90).aspx. I think I will award the bounty to you. – Satyajit Aug 19 '12 at 05:34
  • 2
    Please note though that the original question was by a different asker, so I cannot mark your answer as accepted. – Satyajit Aug 19 '12 at 05:38
  • Isn't this a verbatim copy of http://stackoverflow.com/questions/1986249/c-sharp-process-monitor#answer-1986294? Is it normal to get a bounty for that? Shouldn't the bounty belong to [0xA3](http://stackoverflow.com/users/40347/0xa3)?? – 7heo.tk Nov 09 '13 at 14:16
  • @7heo.tk this was ages ago, I have added ref to source, unfortunately you cant close active bounties as duplicates. – Jeremy Thompson Nov 10 '13 at 01:39
0

Strange thing is an application does not need to create a window in windows. Create process may not belong to the window-station that you work on. You will need to find windows of that process anyway, and you will also need to detect new and closed windows of all processes.

So enumerating windows is much cleaner/easier choice.

Try EnumChildWindows function on desktop handle (retrieved by GetDesktopWindow) to find top level windows of applications. use GetWindowThreadProcessId and EnumThreadWindows on obtained handles to detect sub windows of windows.

A low priority thread will do the job.

Erdogan Kurtur
  • 3,630
  • 21
  • 39
0

You can probably use EnumDesktopWindows from user32.dll, you will get all the window handles, you can check the title of the window using GetWindowText, and type of window using GetClassName.

That way you can hide the hint or treasure anywhere. (because you will get handles of all the windows (and controls)).

See if this class will be useful to you Managed Global Hook for Window Creation and Destruction

On that article, someone has created nice class with easy to attach events, You can run that code without elevating privileges.

Once you get the window (control) handle, you can add text or draw image on it for hints.

Vishalgiri
  • 484
  • 1
  • 4
  • 15