Use windows driver to detect process state changes RRS feed

  • Question

  • If a process already exists in the task manager, when the status of the process changes from running to suspended or suspended to running, can the driver receive the message immediately? How to do it?

    Monday, December 16, 2019 1:45 AM

All replies

  • You don't want to do that.  The typical CPU-bound process makes that transition hundreds or thousands of times per second.

    What are you actually trying to do?

    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Monday, December 16, 2019 7:35 AM
  • When Windows 10 OS restarts, calculator.exe will be automatically loaded. At the beginning
    The state is running, but after about 30 seconds, the state will become suspended. When the user starts the calculator, the state will become running. Driver must to detect status changes to match my application
    Monday, December 16, 2019 8:49 AM
  • The Calculator is a UWP (aka Metro, Modern etc) application. "Suspend" is a special state specific to such applications. Is your application UWP?

    -- pa

    Monday, December 16, 2019 10:58 PM
  • Originally I wanted to use a service.exe to detect the status of the calculator, but for some reason I was unable to use CreateProcessAsUser to create a process in the user session to do this, so I wanted to use the device driver to detect the status of the calculator change.
    Tuesday, December 17, 2019 1:23 AM
  • I'm not convinced that's going to be possible.  The special processing for UWP apps is mostly managed in user mode.  Have you gone through all the APIs in psapi.h and tlhelp32.h?  If Task Manager can find the information, then it's available through an API.

    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Tuesday, December 17, 2019 6:54 AM
  • Unsure, but maybe it is worth the effort to take a  closer look at this ETW provider ?

    Microsoft-Windows-AppModel-Exec          {EB65A492-86C0-406A-BACE-9912D595BD69}

    With kind regards

    Tuesday, December 17, 2019 1:27 PM
  • The problem with ETW is it is buffered, so there is a delay in receiving it, i.e. you can have a delay of indeterminate length. 

    Don Burn Windows Driver Consulting Website:

    Wednesday, December 18, 2019 2:08 AM