Initially determine for all running processes the creation time. Then
use WMI to register for process creation events.
参见下文关于如何利用海事委员会开展进程创建活动的小实例:
static void Main(string[] args)
{
using (ManagementEventWatcher eventWatcher =
new ManagementEventWatcher(@"SELECT * FROM
__InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA Win32_Process "))
{
// Subscribe for process creation notification.
eventWatcher.EventArrived += ProcessStarted_EventArrived;
eventWatcher.Start();
Console.In.ReadLine();
eventWatcher.EventArrived -= ProcessStarted_EventArrived;
eventWatcher.Stop();
}
}
static void ProcessStarted_EventArrived(object sender, EventArrivedEventArgs e)
{
ManagementBaseObject obj = e.NewEvent["TargetInstance"] as ManagementBaseObject;
// The Win32_Process class also contains a CreationDate property.
Console.Out.WriteLine("ProcessName: {0} " + obj.Properties["Name"].Value);
}
<>BEGIN EDIT:
我与海事委员会一道进一步调查了工序的发现,并使用<代码>(更多)友好解决(但需要行政特权)。 Win32_ProcessStartTrace category (please see TECHNET, 供进一步提供信息:
using (ManagementEventWatcher eventWatcher =
new ManagementEventWatcher(@"SELECT * FROM Win32_ProcessStartTrace"))
{
// Subscribe for process creation notification.
eventWatcher.EventArrived += ProcessStarted_EventArrived;
eventWatcher.Start();
Console.Out.WriteLine("started");
Console.In.ReadLine();
eventWatcher.EventArrived -= ProcessStarted_EventArrived;
eventWatcher.Stop();
}
static void ProcessStarted_EventArrived(object sender, EventArrivedEventArgs e)
{
Console.Out.WriteLine("ProcessName: {0} "
+ e.NewEvent.Properties["ProcessName"].Value);
}
在这种解决办法中,你不必进行投票间隔。
<>ENDIT
<>BEGIN EDIT2:
页: 1 Win32_ProcessStopTrace 监测程序停止事件的班级。 将程序启动和停止活动合并使用<代码> Win32_ProcessTrace category。 如果手稿使用<代码>ClassPathproberty,对开端/起步活动加以区分:
using (ManagementEventWatcher eventWatcher =
new ManagementEventWatcher(@"SELECT * FROM Win32_ProcessTrace"))
{
eventWatcher.EventArrived += Process_EventArrived;
eventWatcher.Start();
Console.Out.WriteLine("started");
Console.In.ReadLine();
eventWatcher.EventArrived -= Process_EventArrived;
eventWatcher.Stop();
}
static void Process_EventArrived(object sender, EventArrivedEventArgs e)
{
Console.Out.WriteLine(e.NewEvent.ClassPath); // Use class path to distinguish
// between start/stop process events.
Console.Out.WriteLine("ProcessName: {0} "
+ e.NewEvent.Properties["ProcessName"].Value);
}
<>ENDIT 2