1

I want to create an application/service to monitor user activity, especially to log every application that user is running.
Is this possible in c#? I think not. So how to do this in c++ and winapi? I don't want whole solution because it's surely complicated. Give me an advice only.
Thanks!

Dawid Moś
  • 827
  • 2
  • 12
  • 18

3 Answers3

1

You could write a DLL that hooks CreateProcessW. In this hook, you would (a) do what you want to do when a process is spawned, and (b) inject itself into the new process.

Then, inject the DLL into all currently running processes.

EDIT: My answer to another related question should help you.

Community
  • 1
  • 1
0

Have a look here http://msdn.microsoft.com/en-us/library/1f3ys1f9.aspx

This will give you all processes running on the local computer.

To get processes that have a window do:

var procWithWindow = from proc in Process.GetProcesses()
                     where IntPtr.Zero != proc.MainWindowHandle
                     select proc;
yas4891
  • 4,774
  • 3
  • 34
  • 55
0
Management.ManagementObjectSearcher Processes = new Management.ManagementObjectSearcher("SELECT * FROM Win32_Process");
foreach (Management.ManagementObject Process in Processes.Get())
{
    if (Process.Item("ExecutablePath") != null)
    {
        string ExecutablePath = Process.Item("ExecutablePath").ToString();
        string[] OwnerInfo = new string[2];
        Process.InvokeMethod("GetOwner", (object[])OwnerInfo);
        // do something
    }
}

The process owner will be available in the OwnerInfo string array.

foxy
  • 7,599
  • 2
  • 30
  • 34
  • You're missing () parantheses after ToString [in the if] and Processes.Get [in the foreach] – yas4891 Aug 11 '11 at 07:29
  • you're very welcome. But uhm... You're still missing the () after Processes.Get – yas4891 Aug 11 '11 at 07:35
  • I'm not sure but Your code gets all currently running processes ,right? Instead I want to monitor and catch every process/program exactly when it's starting (i.e. like anti-virus is doing this) to log date and time of execution. – Dawid Moś Aug 11 '11 at 07:56
  • 1
    @daftu, to do that (efficiently), you'd be hooking something like the WinAPI `CreateProcess()`, which is quite troublesome. IT's easier to do a diff between results. Alternatively, you could add your DLL into `HKEY_LOCAL_MACHINE\SYSTEM\KERNEL`, and it will be loaded whenever a process starts. Use this to determine when a process starts, who its owned by, and talk with a parent service via. IPC. – foxy Aug 11 '11 at 08:40
  • @freedompeace, diff between results could be inaccurate, ie. when user execute a program which will be active only for a few seconds and my app will not be able to notice this. Adding DLL into registry should be a better way, so I'm starting to solve this. Thank You! – Dawid Moś Aug 11 '11 at 10:23
  • I think I've found the solution: http://code.google.com/p/easyhook-continuing-detours/ – Dawid Moś Aug 11 '11 at 11:55