How to detect external process launch
-
Wednesday, September 30, 2009 9:08 PMI am trying to find an API in Visual C++ that will allow my service to detect the launch of any process. The process would be launched outside of the service. If a user launches Word, then I would like my service to get an message (or event) marking the launch of the process. If needed, I could do this at the kernel level, if there is a way to do it there. Any help is appreciated.
Thanks
Talmadge
All Replies
-
Wednesday, September 30, 2009 9:25 PMI remember, Hook mechanism helps us to find out the processes open/close with in the system. I would recommend you to read some of material available in MSDN thoroughly.
Anand -
Wednesday, September 30, 2009 9:27 PM
Check this link for more details on Hooks in Win32
Anand -
Wednesday, September 30, 2009 9:46 PMAnand, I fail to see how hooks would help. How would it catch a process launch that doesn't open a window, for example?
I see that there is a System::Diagnostics::Process class that can receive notification (an event) when the process exits, but I don't see any obvious way of being notified when a process starts. One can always enumerate the running processes, obviously, but that strikes me as a rather crude solution.- Edited by Brian MuthMVP Wednesday, September 30, 2009 10:12 PM spelling
-
Wednesday, September 30, 2009 10:38 PMModerator It can be done with WMI. This thread shows you how to in C#. Translating it into C/C++ is known to be possible, good luck with it.
Hans Passant.- Marked As Answer by nobugzMVP, Moderator Thursday, October 01, 2009 9:51 PM
-
Thursday, October 01, 2009 12:26 AMVery elegant solution, Hans.
-
Thursday, October 01, 2009 6:01 AMHello,
Since you mentioned kernel mode, the create process hook is PsSetCreateProcessNotifyRoutine.
Regards,
Dev s r'us -
Thursday, October 01, 2009 4:16 PM
Anand, I fail to see how hooks would help. How would it catch a process launch that doesn't open a window, for example?
I see that there is a System::Diagnostics::Process class that can receive notification (an event) when the process exits, but I don't see any obvious way of being notified when a process starts. One can always enumerate the running processes, obviously, but that strikes me as a rather crude solution.
See this very informative article on hooking, which is also discussing about the ways to get notified when a new process started or closed in C++ applications.
Anand- Proposed As Answer by Anand K Reddy Thursday, October 01, 2009 9:18 PM
-
Thursday, October 01, 2009 4:30 PMYes, Dev is right. Process Structure routines help us solving this problem in C++. One of these APIs as Dev said "
PsSetCreateProcessNotifyRoutine()"offers the ability to register system-wide callback function which is called by OS each time when a new process starts, exits or is terminated.
Check this article, which may also be useful.
Anand -
Thursday, October 01, 2009 4:43 PM
It can be done with WMI. This thread shows you how to in C#. Translating it into C/C++ is known to be possible, good luck with it.
Hans Passant.
Yes Hans is right, we can do the same thing in C++ as well . See this example from msdn.
Anand- Proposed As Answer by Anand K Reddy Thursday, October 01, 2009 9:19 PM
-
Thursday, October 01, 2009 4:57 PM
Yes, Dev is right. Process Structure routines help us solving this problem in C++. One of these APIs as Dev said "
PsSetCreateProcessNotifyRoutine()"offers the ability to register system-wide callback function which is called by OS each time when a new process starts, exits or is terminated.
Check this article, which may also be useful.
Anand
That's an interesting article. However it does require a driver to get at the kernel event. One wonders if WMI is using a similar technique. -
Thursday, October 01, 2009 9:51 PMModeratorSelf-propose is *so* helpful to a moderator.
Hans Passant.
