locked
How to detect creation of a new process? RRS feed

  • Question

  • Hello,

    I want to perform some operations when a new process is created. How can I detect creation of a new process? For example I want to get triggered when I start a program from my desktop, start menu or any other directory of my computer.

    If I simply hook CreateProcess & CreateProcessEx in explorer.exe would it fulfill my needs? I don't want to miss any process creation, whether it is created by double clicking or by selection and pressing enter from keyboard!

    regards
    Friday, December 18, 2009 4:24 PM

Answers

  • Read this topic. It describes different ways.
    One way is to use WMI like described in this article (but it's for .Net).
    The other way is to use PsSetCreateProcessNotifyRoutine. Described here.
    • Marked as answer by ali.shujah Wednesday, December 23, 2009 1:44 PM
    Friday, December 18, 2009 4:42 PM
  • Hi Ali.shujah,

    Yes, you can use global hook to achieve your objective, but not hook CreateProcess & CreateProcessEx, you can try to hook NtCreateSection() function. And Nikita has given you a great API PsSetCreateProcessNotifyRoutine() which offers the ability to register system-wide callback function which is called by OS each time when a new process starts, exits or is terminated.

    For details, please refer to the following two articles:

    Hooking the native API and controlling process creation on a system-wide basis
    http://www.codeproject.com/KB/system/soviet_protector.aspx

    Detecting Windows NT/2K process execution
    http://www.codeproject.com/KB/threads/procmon.aspx

    Best Regards,
    Nancy
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by ali.shujah Wednesday, December 23, 2009 1:44 PM
    Monday, December 21, 2009 10:47 AM

All replies

  • Read this topic. It describes different ways.
    One way is to use WMI like described in this article (but it's for .Net).
    The other way is to use PsSetCreateProcessNotifyRoutine. Described here.
    • Marked as answer by ali.shujah Wednesday, December 23, 2009 1:44 PM
    Friday, December 18, 2009 4:42 PM
  • Hi Ali.shujah,

    Yes, you can use global hook to achieve your objective, but not hook CreateProcess & CreateProcessEx, you can try to hook NtCreateSection() function. And Nikita has given you a great API PsSetCreateProcessNotifyRoutine() which offers the ability to register system-wide callback function which is called by OS each time when a new process starts, exits or is terminated.

    For details, please refer to the following two articles:

    Hooking the native API and controlling process creation on a system-wide basis
    http://www.codeproject.com/KB/system/soviet_protector.aspx

    Detecting Windows NT/2K process execution
    http://www.codeproject.com/KB/threads/procmon.aspx

    Best Regards,
    Nancy
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by ali.shujah Wednesday, December 23, 2009 1:44 PM
    Monday, December 21, 2009 10:47 AM
  • Hello ali.shujah,

     

    Considering that many developers in this forum ask how to watch the process creation and shutdown event, my team has created a code sample for this frequently asked programming task in Microsoft All-In-One Code Framework. You can download the code samples at:

     

    VBProcessWatcher

     

    http://bit.ly/VBProcessWatcher

     

    CSProcessWatcher

     

    http://bit.ly/CSProcessWatcher

     

    With these code samples, we hope to reduce developers’ efforts in solving the frequently asked

    programming tasks. If you have any feedback or suggestions for the code samples, please email us: onecode@microsoft.com.

    ------------

    The Microsoft All-In-One Code Framework (http://1code.codeplex.com) is a free, centralized code sample library driven by developers' needs. Our goal is to provide typical code samples for all Microsoft development technologies, and reduce developers' efforts in solving typical programming tasks.

    Our team listens to developers’ pains in MSDN forums, social media and various developer communities. We write code samples based on developers’ frequently asked programming tasks, and allow developers to download them with a short code sample publishing cycle. Additionally, our team offers a free code sample request service. This service is a proactive way for our developer community to obtain code samples for certain programming tasks directly from Microsoft.

    Thanks

    Microsoft All-In-One Code Framework

     

     

    Friday, March 25, 2011 4:17 AM