none
How to monitor WMI events winmgmts:Win32_process using C++ application RRS feed

  • Question

  • Hi,

    I am writing a C++ application to monitor events from WMI, exclusively for following type of activity.

    Set obj = GetObject("winmgmts:Win32_process")
    np = obj.Create("notepad.exe", Null, Null)

    In above code snippet(VBA) the application is creating notepad process using WMI moniker "winmgmts:Win32_process". How can i monitor this?

    I could collect the event for notepad.exe process created with above code using following WMI query Asynchronously. 

    "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"

    However the data that I collect contains PID for notepad.exe and PPID which is for WMIPrvSE.exe ,

    However I am interested in corelating with the actual process(with VBA code) which initiated the request to create notepad.exe.

    How can I do that?

    Any reference to some code will be of great help.

    Thanks




    Sunday, November 22, 2020 10:57 AM