Is it possible to somehow track the launch of another process (cmd.exe) using C #? Maybe there are some libraries for working with system events?

    2 answers 2

    Since the question for which I wrote this answer turned out to be a "duplicate", I post the solution here, all the more they asked for the solution in C #, and the accepted answer in VB.

    using System; using System.Management; // =>Project => Add Reference => System.Managemen namespace ProcessMonitor { class Program { static void Main(string[] args) { ManagementEventWatcher startWatch = new ManagementEventWatcher( new WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace")); startWatch.EventArrived += startWatch_EventArrived; startWatch.Start(); ManagementEventWatcher stopWatch = new ManagementEventWatcher( new WqlEventQuery("SELECT * FROM Win32_ProcessStopTrace")); stopWatch.EventArrived += stopWatch_EventArrived; stopWatch.Start(); Console.WriteLine("Press ENTER to exit"); Console.ReadLine(); startWatch.Stop(); stopWatch.Stop(); } static void stopWatch_EventArrived(object sender, EventArrivedEventArgs e) { Console.WriteLine("Process stopped: {0}", e.NewEvent.Properties["ProcessName"].Value); } static void startWatch_EventArrived(object sender, EventArrivedEventArgs e) { Console.WriteLine("Process started: {0}", e.NewEvent.Properties["ProcessName"].Value); } } }

    To track a particular process, you can write it like this:

     ManagementEventWatcher startWatch = new ManagementEventWatcher( new WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = \"notepad.exe\""));

    Important! Using ManagementEventWatcher requires administrator privileges.

    Possible parameters that can be used in the submitted WQL query can be found here .

    • Hmm .. Some other way. And what is the difference compared to mine? - Qwertiy ♦
    • @Qwertiy is essentially nothing, just yours on VB, and this one on C #. When I wrote the answer, I was not aware of your variant :) - Mstislav Pavlov
    • No, they are different - you even have different sources in the request: Win32_ProcessStartTrace and Win32_ProcessStopTrace , and I have something with __InstanceOperationEvent . What is the difference between the approaches? - Qwertiy ♦
    • @Qwertiy looked closely, there is still a difference :) - Mstislav Pavlov
    • @Qwertiy honestly I'm at a dead end: msdn.microsoft.com/en-us/library/aa394649(v=vs.85).aspx msdn.microsoft.com/en-us/library/windows/desktop/… method description pushes I thought that these are different names for the same thing. - Mstislav Pavlov

    Possible with WMI. But just to track down what happened, and not to intervene before the launch, by performing some actions, and not to cancel it.

    Here is the code on VB.NET (wrote a long time ago):

     Imports System.Management Module All WithEvents Watcher As New ManagementEventWatcher("SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE TargetInstance ISA ""Win32_Process""") Public Sub Main() Watcher.Start() Console.ReadKey() Watcher.Stop() End Sub Private Sub Watcher_EventArrived(ByVal Sender As Object, ByVal E As EventArrivedEventArgs) Handles Watcher.EventArrived Dim EventType As String = E.NewEvent.ClassPath.ClassName 'Dim Prc As New Win32_Process(TryCast(E.NewEvent("TargetInstance"), ManagementBaseObject)) Dim Cmd As String = TryCast(E.NewEvent("TargetInstance"), ManagementBaseObject)("CommandLine") Select Case EventType Case "__InstanceCreationEvent" Console.WriteLine("{0:-16} {1}", EventType, Cmd) Case "__InstanceDeletionEvent" Console.WriteLine("{0:-16} {1}", EventType, Cmd) Case "__InstanceModificationEvent" 'Console.WriteLine(EventType) End Select End Sub End Module
    • “It is possible with the help of WMI. But it is to track down what happened” That's exactly what I need, thank you very much :) - Mikhail Ivanov
    • "using WMI. But just to track, ... not to cancel it" - there is a Terminate method that can be called after the __InstanceCreationEvent event. - Stack
    • @Stack, of course, you can interrupt the process (but at least through Process.Kill by id), but this is just an interruption, not a launch cancellation. - Qwertiy ♦
    • @Qwertiy in the Terminate description says "Preventing a process from running in the first place." - preventing = prevention. in theory - the abolition. although there may be an error in msdn. - Stack
    • @Stack, "from running", but not "from starting". At the time of receipt of the notification process is already running and at the time of processing is not suspended. I like it then still checked. Or you can somehow Terminate itself? - Qwertiy ♦