Process 'watcher?'

rgouette

rgouette

Member
Joined
May 22, 2006
Messages
16
Location
Maine,USA
Programming Experience
1-3
Folks, I'm wanting some direction on where to begin doing the following:
On Win32 workstations, I wish to watch for executable launches, and log thier associated
application names.
I.E. , a user launches Adobe Acrobat Reader, and that launch gets logged: either locally or
to the network.
I understand that this may require a service..
Cheers and thanks!
Rich
 
Sort by date Sort by votes
Have a look at this article and code examples about Windows Management Instrumentation (WMI, which is a system service). It's in C# and monitors Win32_NTLogEvent, but it could easily be Win32_Process instead, and it is not difficult to translate to VB.Net when you know what to look for. http://www.c-sharpcorner.com/Code/2004/March/WMIEventDetecting.asp

As you can see, WMI also allows for remote monitoring of process creation event, but there can of course be one monitor running on each machine that reports elsewhere.
 
Upvote 0 Downvote
I was trying this out, so here is a console sample for you and other seeking this info. Watching the local machine, using ManagementEventWatcher with the Win32_Process WMI class watching for instance creations. First you Add Reference (.Net tab in dialog) to System.Management.dll.
VB.NET: 
[SIZE=2][COLOR=#0000ff]Imports[/COLOR][/SIZE][SIZE=2] System.Management
[/SIZE][SIZE=2][COLOR=#0000ff]Module[/COLOR][/SIZE][SIZE=2] Module1[/SIZE]
 
[SIZE=2]
[/SIZE][SIZE=2][COLOR=#0000ff]Sub[/COLOR][/SIZE][SIZE=2] main()[/SIZE][SIZE=2]
[/SIZE][SIZE=2][COLOR=#0000ff]  Dim[/COLOR][/SIZE][SIZE=2] watcher1 [/SIZE][SIZE=2][COLOR=#0000ff]As[/COLOR][/SIZE][SIZE=2] ManagementEventWatcher
  watcher1 = GetWatcher([/SIZE][SIZE=2][COLOR=#800000]"__InstanceCreationEvent"[/COLOR][/SIZE][SIZE=2], [/SIZE][SIZE=2][COLOR=#800000]"Win32_Process"[/COLOR][/SIZE][SIZE=2])
[/SIZE][SIZE=2][COLOR=#0000ff]  AddHandler[/COLOR][/SIZE][SIZE=2] watcher1.EventArrived, [/SIZE][SIZE=2][COLOR=#0000ff]AddressOf[/COLOR][/SIZE][SIZE=2] Win32ProcArrived
  watcher1.Start()
[/SIZE][SIZE=2][COLOR=#008000]  '
[/COLOR][/SIZE][SIZE=2]  Console.WriteLine([/SIZE][SIZE=2][COLOR=#800000]"press <enter> to stop..."[/COLOR][/SIZE][SIZE=2])
  Console.ReadLine()
  watcher1.Stop()
[/SIZE][SIZE=2][COLOR=#0000ff]  RemoveHandler[/COLOR][/SIZE][SIZE=2] watcher1.EventArrived, [/SIZE][SIZE=2][COLOR=#0000ff]AddressOf[/COLOR][/SIZE][SIZE=2] Win32ProcArrived
[/SIZE][SIZE=2][COLOR=#0000ff]End [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]Sub[/COLOR][/SIZE]
 
[SIZE=2][COLOR=#0000ff]Function[/COLOR][/SIZE][SIZE=2] GetWatcher([/SIZE][SIZE=2][COLOR=#0000ff]ByVal[/COLOR][/SIZE][SIZE=2] WatcherType [/SIZE][SIZE=2][COLOR=#0000ff]As [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]String[/COLOR][/SIZE][SIZE=2], [/SIZE][SIZE=2][COLOR=#0000ff]ByVal[/COLOR][/SIZE][SIZE=2] wmiclass [/SIZE][SIZE=2][COLOR=#0000ff]As [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]String[/COLOR][/SIZE][SIZE=2]) [/SIZE][SIZE=2][COLOR=#0000ff]As[/COLOR][/SIZE][SIZE=2] ManagementEventWatcher
[/SIZE][SIZE=2][COLOR=#0000ff]  Dim[/COLOR][/SIZE][SIZE=2] condition [/SIZE][SIZE=2][COLOR=#0000ff]As [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]String[/COLOR][/SIZE][SIZE=2] = [/SIZE][SIZE=2][COLOR=#800000]"TargetInstance ISA '"[/COLOR][/SIZE][SIZE=2] & wmiclass & [/SIZE][SIZE=2][COLOR=#800000]"'"
[/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]  Dim[/COLOR][/SIZE][SIZE=2] EventQuery [/SIZE][SIZE=2][COLOR=#0000ff]As [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]New[/COLOR][/SIZE][SIZE=2] WqlEventQuery(WatcherType, [/SIZE][SIZE=2][COLOR=#0000ff]New[/COLOR][/SIZE][SIZE=2] TimeSpan(0, 0, 3), condition)
[/SIZE][SIZE=2][COLOR=#0000ff]  Return [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]New[/COLOR][/SIZE][SIZE=2] ManagementEventWatcher(EventQuery)
[/SIZE][SIZE=2][COLOR=#0000ff]End [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]Function[/COLOR][/SIZE]
 
[SIZE=2][COLOR=#0000ff]Public [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]Sub[/COLOR][/SIZE][SIZE=2] Win32ProcArrived([/SIZE][SIZE=2][COLOR=#0000ff]ByVal[/COLOR][/SIZE][SIZE=2] sender [/SIZE][SIZE=2][COLOR=#0000ff]As[/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]Object[/COLOR][/SIZE][SIZE=2], [/SIZE][SIZE=2][COLOR=#0000ff]ByVal[/COLOR][/SIZE][SIZE=2] e [/SIZE][SIZE=2][COLOR=#0000ff]As[/COLOR][/SIZE][SIZE=2] EventArrivedEventArgs)
[/SIZE][SIZE=2][COLOR=#0000ff]For [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]Each[/COLOR][/SIZE][SIZE=2] pd [/SIZE][SIZE=2][COLOR=#0000ff]As[/COLOR][/SIZE][SIZE=2] PropertyData [/SIZE][SIZE=2][COLOR=#0000ff]In[/COLOR][/SIZE][SIZE=2] e.NewEvent.Properties
[/SIZE][SIZE=2][COLOR=#0000ff] Dim[/COLOR][/SIZE][SIZE=2] mbo [/SIZE][SIZE=2][COLOR=#0000ff]As[/COLOR][/SIZE][SIZE=2] ManagementBaseObject = [/SIZE][SIZE=2][COLOR=#0000ff]DirectCast[/COLOR][/SIZE][SIZE=2](pd.Value, ManagementBaseObject)
[/SIZE][SIZE=2][COLOR=#0000ff] If [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]Not[/COLOR][/SIZE][SIZE=2] mbo [/SIZE][SIZE=2][COLOR=#0000ff]Is [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]Nothing [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]Then
[/COLOR][/SIZE][SIZE=2]   Console.WriteLine([/SIZE][SIZE=2][COLOR=#800000]"--------------Process Properties------------------"[/COLOR][/SIZE][SIZE=2])
    Console.WriteLine([/SIZE][SIZE=2][COLOR=#800000]"{0} - {1}"[/COLOR][/SIZE][SIZE=2], [/SIZE][SIZE=2][COLOR=#800000]"Caption"[/COLOR][/SIZE][SIZE=2], mbo([/SIZE][SIZE=2][COLOR=#800000]"Caption"[/COLOR][/SIZE][SIZE=2]).ToString)
    Console.WriteLine([/SIZE][SIZE=2][COLOR=#800000]"{0} - {1}"[/COLOR][/SIZE][SIZE=2], [/SIZE][SIZE=2][COLOR=#800000]"CommandLine"[/COLOR][/SIZE][SIZE=2], mbo([/SIZE][SIZE=2][COLOR=#800000]"CommandLine"[/COLOR][/SIZE][SIZE=2]).ToString)
    Console.WriteLine([/SIZE][SIZE=2][COLOR=#800000]"{0} - {1}"[/COLOR][/SIZE][SIZE=2], [/SIZE][SIZE=2][COLOR=#800000]"ExecutablePath"[/COLOR][/SIZE][SIZE=2], mbo([/SIZE][SIZE=2][COLOR=#800000]"ExecutablePath"[/COLOR][/SIZE][SIZE=2]).ToString)
    Console.WriteLine([/SIZE][SIZE=2][COLOR=#800000]"{0} - {1}"[/COLOR][/SIZE][SIZE=2], [/SIZE][SIZE=2][COLOR=#800000]"ProcessId"[/COLOR][/SIZE][SIZE=2], mbo([/SIZE][SIZE=2][COLOR=#800000]"ProcessId"[/COLOR][/SIZE][SIZE=2]).ToString)
[/SIZE][SIZE=2][COLOR=#008000]   ' to have a look at all properties use this:
[/COLOR][/SIZE][SIZE=2][COLOR=#008000]   'For Each prop As PropertyData In mbo.Properties
[/COLOR][/SIZE][SIZE=2][COLOR=#008000]   'Console.WriteLine("{0} - {1}", prop.Name, prop.Value)
[/COLOR][/SIZE][SIZE=2][COLOR=#008000]   'Next
[/COLOR][/SIZE][SIZE=2][COLOR=#0000ff] End [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]If
[/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]Next
[/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]End [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]Sub[/COLOR][/SIZE]
[SIZE=2][COLOR=#0000ff]
End [/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]Module
[/COLOR][/SIZE]
I have earlier tried the WMI event class Win32_ProcessStartTrace with mixed experience, the above works better, here is the thread about this http://www.vbdotnetforums.com/showthread.php?t=7121
 
Upvote 0 Downvote

Similar threads

J
  • Question
Can't get process to execute
Replies
0
Views
2K
jonesin
J
D
  • Question
Windows Service stops triggering monitoring event for starting process
Replies
0
Views
2K
Developer111
D
Neodynamic
How to Directly Print a Crystal Reports to Default Client Printer from ASP.NET withou
Replies
0
Views
10K
Neodynamic
Neodynamic
ferdbiffle
  • Question
Unique situation with Windows Service
Replies
0
Views
2K
ferdbiffle
ferdbiffle
T
Experienced .NET Developer Full time - Telecommute Europe
Replies
0
Views
2K
Teddy444
T

Share this page

Latest posts

Back
Top