I use the following C # code in a Windows service (which works like NT_AUTHORITY\SYSTEM ) to create an event handler to receive process creation events (using WMI and WQL):
string queryString = "SELECT * FROM Win32_ProcessStartTrace"; ManagementEventWatcher watcher = new ManagementEventWatcher(new WqlEventQuery(queryString)); watcher.EventArrived += new EventArrivedEventHandler(ProcessStartEvent); watcher.Start();
In ProcessStartEvent :
int processId = int.Parse(e.NewEvent.Properties["ProcessId"].Value.ToString()); Process proc = Process.GetProcessById(processId); Out("Received process: " + proc.ProcessName);
The problem I am facing is that (for some strange reason) not every startup process is fixed and reported by the program. If I start about 6 processes at the same time, the output cannot be displayed.
I tried to do some research on capturing process creation events using WMI, but there is limited information. I saw that you can also start the process using something similar to:
SELECT TargetInstance FROM __InstanceCreationEvent WITHIN 2 WHERE TargetInstance ISA 'Win32_Process'
(As seen from this stack overflow answer )
Are there any significant differences between using __InstanceCreationEvent and Win32_ProcessStartTrace ? Could this be the cause of my problems?
Is there any explanation why I am not getting events for the all process? Is there something more obvious that I'm doing wrong here?
Xenon
source share