468,140 Members | 1,578 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,140 developers. It's quick & easy.

How to monitor file is executed by user or program in window

How can I moitor file which is executed by user or program in window.
I need to write a code to monitor file. When user clicks the file(.exe) or
is called by program, the name of file will be return to a program.
so, excatly, I need to know the name of the executable file that is executed.
originally, I try to windows service + FileSystemWatcher.
but, There are just created, renamed, deleted, and changed four events in
the FileSystemWacher, not excuted.
So, How can I do???????
thanks.
Jan 10 '06 #1
17 2326
Don't know about your exact requirements, but you could always just monitor
the running processes:

const string unknown = "{unknown}";
foreach(Process p in Process.GetProcesses()) {
int pid = p.Id;
string name = unknown, module = unknown;
try {name = p.ProcessName;} catch {}
try {module = p.MainModule.FileName;} catch {}
Console.WriteLine("{0}: {1} ({2})",pid,name,module);
}
Console.ReadLine();

Of course, you'd need to do this periodically to monitor new items, and
there is a chance short-lived items could slip between your checks. Not
ideal (and personally I don't like it on principle), but it is an option. It
seems a bit of a "big brother" thing to want to do, though...

Marc

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:B4**********************************@microsof t.com...
How can I moitor file which is executed by user or program in window.
I need to write a code to monitor file. When user clicks the file(.exe) or
is called by program, the name of file will be return to a program.
so, excatly, I need to know the name of the executable file that is
executed.
originally, I try to windows service + FileSystemWatcher.
but, There are just created, renamed, deleted, and changed four events in
the FileSystemWacher, not excuted.
So, How can I do???????
thanks.

Jan 10 '06 #2
Hi,

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:B4**********************************@microsof t.com...
How can I moitor file which is executed by user or program in window.
I need to write a code to monitor file. When user clicks the file(.exe) or
is called by program, the name of file will be return to a program.
so, excatly, I need to know the name of the executable file that is
executed.
originally, I try to windows service + FileSystemWatcher.
but, There are just created, renamed, deleted, and changed four events in
the FileSystemWacher, not excuted.
So, How can I do???????

There is no way of doing it

--
Ignacio Machin,
ignacio.machin AT dot.state.fl.us
Florida Department Of Transportation
Jan 10 '06 #3

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:B4**********************************@microsof t.com...
| How can I moitor file which is executed by user or program in window.
| I need to write a code to monitor file. When user clicks the file(.exe) or
| is called by program, the name of file will be return to a program.
| so, excatly, I need to know the name of the executable file that is
executed.
| originally, I try to windows service + FileSystemWatcher.
| but, There are just created, renamed, deleted, and changed four events in
| the FileSystemWacher, not excuted.
| So, How can I do???????
| thanks.

If you are running XP or higher,you'll can use the System.Management classes
and listen for WMI Win32_ProcessStartTrace events.
Here's a small sample.

using System;
using System.Management;
class App {
public static void Main() {
WqlEventQuery q = new WqlEventQuery( "Win32_ProcessStartTrace");
using(ManagementEventWatcher w = new ManagementEventWatcher(q)){
w.EventArrived += new
EventArrivedEventHandler(ProcessStartEventArrived) ;
w.Start();
Console.ReadLine(); // block this thread for test purposes
w.Stop();
}
}
static void ProcessStartEventArrived(object sender, EventArrivedEventArgs
e) {
//Get the Event object and display it's properties
foreach(PropertyData pd in e.NewEvent.Properties) {
Console.WriteLine("{0} : {1}",pd.Name, pd.Value);
}
}
}

Willy.
Jan 10 '06 #4
but.... why can the antivirus detect the malicious file when we click a
executable file. And, why can FileSystemWatcher know which file was changed,
but can't know which file was executed ????

"Ignacio Machin ( .NET/ C# MVP )" wrote:
Hi,

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:B4**********************************@microsof t.com...
How can I moitor file which is executed by user or program in window.
I need to write a code to monitor file. When user clicks the file(.exe) or
is called by program, the name of file will be return to a program.
so, excatly, I need to know the name of the executable file that is
executed.
originally, I try to windows service + FileSystemWatcher.
but, There are just created, renamed, deleted, and changed four events in
the FileSystemWacher, not excuted.
So, How can I do???????

There is no way of doing it

--
Ignacio Machin,
ignacio.machin AT dot.state.fl.us
Florida Department Of Transportation

Jan 10 '06 #5
exactly, I need to know which file was executed in window.
and, I wanna deal with the file (.exe)
It is similar the antivirus. When we click a malicious file (.exe) , then
antivirus can detect it and deal with.
thank you
"Marc Gravell" wrote:
Don't know about your exact requirements, but you could always just monitor
the running processes:

const string unknown = "{unknown}";
foreach(Process p in Process.GetProcesses()) {
int pid = p.Id;
string name = unknown, module = unknown;
try {name = p.ProcessName;} catch {}
try {module = p.MainModule.FileName;} catch {}
Console.WriteLine("{0}: {1} ({2})",pid,name,module);
}
Console.ReadLine();

Of course, you'd need to do this periodically to monitor new items, and
there is a chance short-lived items could slip between your checks. Not
ideal (and personally I don't like it on principle), but it is an option. It
seems a bit of a "big brother" thing to want to do, though...

Marc

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:B4**********************************@microsof t.com...
How can I moitor file which is executed by user or program in window.
I need to write a code to monitor file. When user clicks the file(.exe) or
is called by program, the name of file will be return to a program.
so, excatly, I need to know the name of the executable file that is
executed.
originally, I try to windows service + FileSystemWatcher.
but, There are just created, renamed, deleted, and changed four events in
the FileSystemWacher, not excuted.
So, How can I do???????
thanks.


Jan 10 '06 #6
Antivirus applications use kernel space drivers to do their thing, don't
expect to do this kind of thing from user space. Take a look at my other
reply, it shows you how you can achieve your goal using C#.

Willy.

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:A9**********************************@microsof t.com...
| but.... why can the antivirus detect the malicious file when we click a
| executable file. And, why can FileSystemWatcher know which file was
changed,
| but can't know which file was executed ????
|
| "Ignacio Machin ( .NET/ C# MVP )" wrote:
|
| > Hi,
| >
| > "spentun" <sp*****@discussions.microsoft.com> wrote in message
| > news:B4**********************************@microsof t.com...
| > > How can I moitor file which is executed by user or program in window.
| > > I need to write a code to monitor file. When user clicks the
file(.exe) or
| > > is called by program, the name of file will be return to a program.
| > > so, excatly, I need to know the name of the executable file that is
| > > executed.
| > > originally, I try to windows service + FileSystemWatcher.
| > > but, There are just created, renamed, deleted, and changed four events
in
| > > the FileSystemWacher, not excuted.
| > > So, How can I do???????
| >
| >
| > There is no way of doing it
| >
| >
| >
| > --
| > Ignacio Machin,
| > ignacio.machin AT dot.state.fl.us
| > Florida Department Of Transportation
| >
| >
| >
Jan 10 '06 #7
I got your other reply. thank you very very very very much.
I try your code which can work.
so, now I don't need to use the window service to monitor file. right?
in fact, the project is my thesis in research institute.
I wanna design a anti-spyware software.
so, I need to grap the spyware in real-time

"Willy Denoyette [MVP]" wrote:
Antivirus applications use kernel space drivers to do their thing, don't
expect to do this kind of thing from user space. Take a look at my other
reply, it shows you how you can achieve your goal using C#.

Willy.

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:A9**********************************@microsof t.com...
| but.... why can the antivirus detect the malicious file when we click a
| executable file. And, why can FileSystemWatcher know which file was
changed,
| but can't know which file was executed ????
|
| "Ignacio Machin ( .NET/ C# MVP )" wrote:
|
| > Hi,
| >
| > "spentun" <sp*****@discussions.microsoft.com> wrote in message
| > news:B4**********************************@microsof t.com...
| > > How can I moitor file which is executed by user or program in window.
| > > I need to write a code to monitor file. When user clicks the
file(.exe) or
| > > is called by program, the name of file will be return to a program.
| > > so, excatly, I need to know the name of the executable file that is
| > > executed.
| > > originally, I try to windows service + FileSystemWatcher.
| > > but, There are just created, renamed, deleted, and changed four events
in
| > > the FileSystemWacher, not excuted.
| > > So, How can I do???????
| >
| >
| > There is no way of doing it
| >
| >
| >
| > --
| > Ignacio Machin,
| > ignacio.machin AT dot.state.fl.us
| > Florida Department Of Transportation
| >
| >
| >

Jan 10 '06 #8
and why can't we user kernel space rather than aitivirus can.
the Microsoft accept ???

"Willy Denoyette [MVP]" wrote:
Antivirus applications use kernel space drivers to do their thing, don't
expect to do this kind of thing from user space. Take a look at my other
reply, it shows you how you can achieve your goal using C#.

Willy.

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:A9**********************************@microsof t.com...
| but.... why can the antivirus detect the malicious file when we click a
| executable file. And, why can FileSystemWatcher know which file was
changed,
| but can't know which file was executed ????
|
| "Ignacio Machin ( .NET/ C# MVP )" wrote:
|
| > Hi,
| >
| > "spentun" <sp*****@discussions.microsoft.com> wrote in message
| > news:B4**********************************@microsof t.com...
| > > How can I moitor file which is executed by user or program in window.
| > > I need to write a code to monitor file. When user clicks the
file(.exe) or
| > > is called by program, the name of file will be return to a program.
| > > so, excatly, I need to know the name of the executable file that is
| > > executed.
| > > originally, I try to windows service + FileSystemWatcher.
| > > but, There are just created, renamed, deleted, and changed four events
in
| > > the FileSystemWacher, not excuted.
| > > So, How can I do???????
| >
| >
| > There is no way of doing it
| >
| >
| >
| > --
| > Ignacio Machin,
| > ignacio.machin AT dot.state.fl.us
| > Florida Department Of Transportation
| >
| >
| >

Jan 10 '06 #9
if I wnna run in win2k, the code doesn't work. right?
"Willy Denoyette [MVP]" wrote:

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:B4**********************************@microsof t.com...
| How can I moitor file which is executed by user or program in window.
| I need to write a code to monitor file. When user clicks the file(.exe) or
| is called by program, the name of file will be return to a program.
| so, excatly, I need to know the name of the executable file that is
executed.
| originally, I try to windows service + FileSystemWatcher.
| but, There are just created, renamed, deleted, and changed four events in
| the FileSystemWacher, not excuted.
| So, How can I do???????
| thanks.

If you are running XP or higher,you'll can use the System.Management classes
and listen for WMI Win32_ProcessStartTrace events.
Here's a small sample.

using System;
using System.Management;
class App {
public static void Main() {
WqlEventQuery q = new WqlEventQuery( "Win32_ProcessStartTrace");
using(ManagementEventWatcher w = new ManagementEventWatcher(q)){
w.EventArrived += new
EventArrivedEventHandler(ProcessStartEventArrived) ;
w.Start();
Console.ReadLine(); // block this thread for test purposes
w.Stop();
}
}
static void ProcessStartEventArrived(object sender, EventArrivedEventArgs
e) {
//Get the Event object and display it's properties
foreach(PropertyData pd in e.NewEvent.Properties) {
Console.WriteLine("{0} : {1}",pd.Name, pd.Value);
}
}
}

Willy.

Jan 10 '06 #10
Nope.

Willy.

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:BC**********************************@microsof t.com...
| if I wnna run in win2k, the code doesn't work. right?
|
|
| "Willy Denoyette [MVP]" wrote:
|
| >
| > "spentun" <sp*****@discussions.microsoft.com> wrote in message
| > news:B4**********************************@microsof t.com...
| > | How can I moitor file which is executed by user or program in window.
| > | I need to write a code to monitor file. When user clicks the
file(.exe) or
| > | is called by program, the name of file will be return to a program.
| > | so, excatly, I need to know the name of the executable file that is
| > executed.
| > | originally, I try to windows service + FileSystemWatcher.
| > | but, There are just created, renamed, deleted, and changed four events
in
| > | the FileSystemWacher, not excuted.
| > | So, How can I do???????
| > | thanks.
| >
| > If you are running XP or higher,you'll can use the System.Management
classes
| > and listen for WMI Win32_ProcessStartTrace events.
| > Here's a small sample.
| >
| > using System;
| > using System.Management;
| > class App {
| > public static void Main() {
| > WqlEventQuery q = new WqlEventQuery( "Win32_ProcessStartTrace");
| > using(ManagementEventWatcher w = new ManagementEventWatcher(q)){
| > w.EventArrived += new
| > EventArrivedEventHandler(ProcessStartEventArrived) ;
| > w.Start();
| > Console.ReadLine(); // block this thread for test purposes
| > w.Stop();
| > }
| > }
| > static void ProcessStartEventArrived(object sender,
EventArrivedEventArgs
| > e) {
| > //Get the Event object and display it's properties
| > foreach(PropertyData pd in e.NewEvent.Properties) {
| > Console.WriteLine("{0} : {1}",pd.Name, pd.Value);
| > }
| > }
| > }
| >
| > Willy.
| >
| >
| >
Jan 10 '06 #11
one guy told me this. this code can run in win2k
but, it is just detect notepad.exe and a little slow

ManagementEventWatcher watcher;
private void button2_Click(object sender, System.EventArgs e)
{
string query = "select * from __InstanceCreationEvent " +
"within 5 where TargetInstance ISA 'Win32_Process' "+
" and TargetInstance.Name='notepad.exe'";
watcher = new ManagementEventWatcher(query);
watcher.EventArrived += new EventArrivedEventHandler(Display);
watcher.Start();
}

public void Display(object sender, EventArrivedEventArgs e)
{
this.textBox1.Text="notepad start";
}
Jan 10 '06 #12
C# or any other managed code can not be used for driver development,
antivirus products do have parts running as kernel mode drivers.
In short, you won't be able to develop antivirus software in C# only, you
can use C# for the UI part, but that's not key for an antivirus product.

Willy.
"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:D8**********************************@microsof t.com...
| and why can't we user kernel space rather than aitivirus can.
| the Microsoft accept ???
|
| "Willy Denoyette [MVP]" wrote:
|
| > Antivirus applications use kernel space drivers to do their thing, don't
| > expect to do this kind of thing from user space. Take a look at my other
| > reply, it shows you how you can achieve your goal using C#.
| >
| > Willy.
| >
| >
| >
| > "spentun" <sp*****@discussions.microsoft.com> wrote in message
| > news:A9**********************************@microsof t.com...
| > | but.... why can the antivirus detect the malicious file when we click
a
| > | executable file. And, why can FileSystemWatcher know which file was
| > changed,
| > | but can't know which file was executed ????
| > |
| > | "Ignacio Machin ( .NET/ C# MVP )" wrote:
| > |
| > | > Hi,
| > | >
| > | > "spentun" <sp*****@discussions.microsoft.com> wrote in message
| > | > news:B4**********************************@microsof t.com...
| > | > > How can I moitor file which is executed by user or program in
window.
| > | > > I need to write a code to monitor file. When user clicks the
| > file(.exe) or
| > | > > is called by program, the name of file will be return to a
program.
| > | > > so, excatly, I need to know the name of the executable file that
is
| > | > > executed.
| > | > > originally, I try to windows service + FileSystemWatcher.
| > | > > but, There are just created, renamed, deleted, and changed four
events
| > in
| > | > > the FileSystemWacher, not excuted.
| > | > > So, How can I do???????
| > | >
| > | >
| > | > There is no way of doing it
| > | >
| > | >
| > | >
| > | > --
| > | > Ignacio Machin,
| > | > ignacio.machin AT dot.state.fl.us
| > | > Florida Department Of Transportation
| > | >
| > | >
| > | >
| >
| >
| >
Jan 10 '06 #13

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:04**********************************@microsof t.com...
| one guy told me this. this code can run in win2k
| but, it is just detect notepad.exe and a little slow
|
| ManagementEventWatcher watcher;
| private void button2_Click(object sender, System.EventArgs e)
| {
| string query = "select * from __InstanceCreationEvent " +
| "within 5 where TargetInstance ISA 'Win32_Process' "+
| " and TargetInstance.Name='notepad.exe'";
| watcher = new ManagementEventWatcher(query);
| watcher.EventArrived += new EventArrivedEventHandler(Display);
| watcher.Start();
| }
|
| public void Display(object sender, EventArrivedEventArgs e)
| {
| this.textBox1.Text="notepad start";
| }
|

True, you can use this to trace process start-up, but the problem here is
that polling is used, which makes it possible to miss events.
Note, as I said in another reply, this is not the right code path when your
intention is to write an antivirus application.

Willy.

Jan 10 '06 #14
Could I ask one more issue?
Now, we got the name of the file. so, what is the path of file???? How to
get it?
thank you very very very very much!

Green

"Willy Denoyette [MVP]" wrote:

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:04**********************************@microsof t.com...
| one guy told me this. this code can run in win2k
| but, it is just detect notepad.exe and a little slow
|
| ManagementEventWatcher watcher;
| private void button2_Click(object sender, System.EventArgs e)
| {
| string query = "select * from __InstanceCreationEvent " +
| "within 5 where TargetInstance ISA 'Win32_Process' "+
| " and TargetInstance.Name='notepad.exe'";
| watcher = new ManagementEventWatcher(query);
| watcher.EventArrived += new EventArrivedEventHandler(Display);
| watcher.Start();
| }
|
| public void Display(object sender, EventArrivedEventArgs e)
| {
| this.textBox1.Text="notepad start";
| }
|

True, you can use this to trace process start-up, but the problem here is
that polling is used, which makes it possible to miss events.
Note, as I said in another reply, this is not the right code path when your
intention is to write an antivirus application.

Willy.

Jan 11 '06 #15
I think I got the solution. Reference the MSDN.
I can use system.diagnostics.processmodule.filename to compare the name in
process pool.

thank you very mcuh!!!

"Willy Denoyette [MVP]" wrote:

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:04**********************************@microsof t.com...
| one guy told me this. this code can run in win2k
| but, it is just detect notepad.exe and a little slow
|
| ManagementEventWatcher watcher;
| private void button2_Click(object sender, System.EventArgs e)
| {
| string query = "select * from __InstanceCreationEvent " +
| "within 5 where TargetInstance ISA 'Win32_Process' "+
| " and TargetInstance.Name='notepad.exe'";
| watcher = new ManagementEventWatcher(query);
| watcher.EventArrived += new EventArrivedEventHandler(Display);
| watcher.Start();
| }
|
| public void Display(object sender, EventArrivedEventArgs e)
| {
| this.textBox1.Text="notepad start";
| }
|

True, you can use this to trace process start-up, but the problem here is
that polling is used, which makes it possible to miss events.
Note, as I said in another reply, this is not the right code path when your
intention is to write an antivirus application.

Willy.

Jan 12 '06 #16
Hi Willy.
For one thing. I need to say thank you of you to give me a suggestion.
now, I could monitor the file in the system. But I got the file which name
is just 15 letter at most. If the name of .exe file is more then 15. It will
be cut.
ex: if the name of .exe file is "MonitorExFile.exe".
the "e.NewEvent.Properties["ProcessName"].Value" will just get
"MonitorExFile.e"

so, How could I get the full name of file ?
and exactly, I need to get the full path of .exe file. Because I need to
deal with the process of .exe file.
I got a mothed in MSDN in following.
It must create a process , then I could get the full path of file.
but. I just need to deal with the process of file which is monitored by me.
Could get any sugesstion from you?
thank you very much!!
-----------------------------------
Process myProcess = new Process();
// Get the process start information of notepad.
ProcessStartInfo myProcessStartInfo = new ProcessStartInfo("notepad.exe");
// Assign 'StartInfo' of notepad to 'StartInfo' of 'myProcess' object.
myProcess.StartInfo = myProcessStartInfo;
// Create a notepad.
myProcess.Start();
System.Threading.Thread.Sleep(1000);
ProcessModule myProcessModule;
// Get all the modules associated with 'myProcess'.
ProcessModuleCollection myProcessModuleCollection = myProcess.Modules;
Console.WriteLine("File names of the modules associated "
+"with 'notepad' are:");
// Display the 'FileName' of each of the modules.
for( int i = 0;i < myProcessModuleCollection.Count; i++)
{
myProcessModule = myProcessModuleCollection[i];
Console.WriteLine(myProcessModule.ModuleName+" : "
+myProcessModule.FileName);
}
// Get the main module associated with 'myProcess'.
myProcessModule = myProcess.MainModule;
// Display the 'FileName' of the main module.
Console.WriteLine("The process's main module's FileName is: "
+myProcessModule.FileName);
myProcess.CloseMainWindow();
-----------------------------------------------------------------------
"Willy Denoyette [MVP]" wrote:

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:04**********************************@microsof t.com...
| one guy told me this. this code can run in win2k
| but, it is just detect notepad.exe and a little slow
|
| ManagementEventWatcher watcher;
| private void button2_Click(object sender, System.EventArgs e)
| {
| string query = "select * from __InstanceCreationEvent " +
| "within 5 where TargetInstance ISA 'Win32_Process' "+
| " and TargetInstance.Name='notepad.exe'";
| watcher = new ManagementEventWatcher(query);
| watcher.EventArrived += new EventArrivedEventHandler(Display);
| watcher.Start();
| }
|
| public void Display(object sender, EventArrivedEventArgs e)
| {
| this.textBox1.Text="notepad start";
| }
|

True, you can use this to trace process start-up, but the problem here is
that polling is used, which makes it possible to miss events.
Note, as I said in another reply, this is not the right code path when your
intention is to write an antivirus application.

Willy.

Mar 6 '06 #17
Use the ProcessID property returned to get the process instance and iuse
this one to get the mainmodules file name like:
....
Process proc =
Process.GetProcessById((int)(uint)e.NewEvent.Prope rties["ProcessID"].Value);
string s = proc.MainModule.FileName; // full exe path...

Willy.

"spentun" <sp*****@discussions.microsoft.com> wrote in message
news:5B**********************************@microsof t.com...
| Hi Willy.
| For one thing. I need to say thank you of you to give me a suggestion.
| now, I could monitor the file in the system. But I got the file which name
| is just 15 letter at most. If the name of .exe file is more then 15. It
will
| be cut.
| ex: if the name of .exe file is "MonitorExFile.exe".
| the "e.NewEvent.Properties["ProcessName"].Value" will just get
| "MonitorExFile.e"
|
| so, How could I get the full name of file ?
| and exactly, I need to get the full path of .exe file. Because I need to
| deal with the process of .exe file.
| I got a mothed in MSDN in following.
| It must create a process , then I could get the full path of file.
| but. I just need to deal with the process of file which is monitored by
me.
| Could get any sugesstion from you?
| thank you very much!!
| -----------------------------------
| Process myProcess = new Process();
| // Get the process start information of notepad.
| ProcessStartInfo myProcessStartInfo = new
ProcessStartInfo("notepad.exe");
| // Assign 'StartInfo' of notepad to 'StartInfo' of 'myProcess' object.
| myProcess.StartInfo = myProcessStartInfo;
| // Create a notepad.
| myProcess.Start();
| System.Threading.Thread.Sleep(1000);
| ProcessModule myProcessModule;
| // Get all the modules associated with 'myProcess'.
| ProcessModuleCollection myProcessModuleCollection = myProcess.Modules;
| Console.WriteLine("File names of the modules associated "
| +"with 'notepad' are:");
| // Display the 'FileName' of each of the modules.
| for( int i = 0;i < myProcessModuleCollection.Count; i++)
| {
| myProcessModule = myProcessModuleCollection[i];
| Console.WriteLine(myProcessModule.ModuleName+" : "
| +myProcessModule.FileName);
| }
| // Get the main module associated with 'myProcess'.
| myProcessModule = myProcess.MainModule;
| // Display the 'FileName' of the main module.
| Console.WriteLine("The process's main module's FileName is: "
| +myProcessModule.FileName);
| myProcess.CloseMainWindow();
| -----------------------------------------------------------------------
|
|
| "Willy Denoyette [MVP]" wrote:
|
| >
| > "spentun" <sp*****@discussions.microsoft.com> wrote in message
| > news:04**********************************@microsof t.com...
| > | one guy told me this. this code can run in win2k
| > | but, it is just detect notepad.exe and a little slow
| > |
| > | ManagementEventWatcher watcher;
| > | private void button2_Click(object sender, System.EventArgs e)
| > | {
| > | string query = "select * from __InstanceCreationEvent " +
| > | "within 5 where TargetInstance ISA 'Win32_Process' "+
| > | " and TargetInstance.Name='notepad.exe'";
| > | watcher = new ManagementEventWatcher(query);
| > | watcher.EventArrived += new EventArrivedEventHandler(Display);
| > | watcher.Start();
| > | }
| > |
| > | public void Display(object sender, EventArrivedEventArgs e)
| > | {
| > | this.textBox1.Text="notepad start";
| > | }
| > |
| >
| > True, you can use this to trace process start-up, but the problem here
is
| > that polling is used, which makes it possible to miss events.
| > Note, as I said in another reply, this is not the right code path when
your
| > intention is to write an antivirus application.
| >
| > Willy.
| >
| >
| >
| >
Mar 6 '06 #18

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

10 posts views Thread by KJM | last post: by
reply views Thread by Bill Burwell | last post: by
6 posts views Thread by Omid | last post: by
2 posts views Thread by Jack David | last post: by
4 posts views Thread by Mike | last post: by
15 posts views Thread by Jim Hubbard | last post: by
6 posts views Thread by Clark Sann | last post: by
27 posts views Thread by didacticone | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.