Reputation: 4390
Is there a way to get an event from windows on every new process that is started?
I want to get a notification each time a new process is started by the operating system.
Note that I need to that in native code (I know it can be done in managed code using System.Management members).
Extra points if there is a way to get it before the process starts running :) (i.e in during its initialization)
Thanks.
Upvotes: 5
Views: 2900
Answers (2)
Reputation: 74654
A real-time ETW trace will give you this information with low system overhead. Note that this will not let you hook process creation (i.e. it will only be a notification, you cannot control whether or not the process actually gets started)
Upvotes: 0
Reputation: 3013
The problem with using a driver is that you will require permission to install it, but otherwise I think is the safest method.
In user space you can try to create a window hook which will work if such application uses a windows, but is otherwise quite obnoxious.
On the other hand you can try to use WMI, which is the underlying technology used in C#. You can look for pointers in this anwers and this examples.
Upvotes: 3
Related Questions
- Listen For Process Start and End
- WMI detect process creation event - c++
- Can I Get Notified When Some Process Starts?
- How to detect win32 process creation/termination in c++
- Is there a way to recieve a event about a process starting in windows?
- Monitor process start in the system
- having a HANDLE to a Process how to sign up for monitoring of its close/restart/duplication event?
- How to watch new processes that are running or terminated in Visual C++
- Watching Global Events created by a native process in a .NET process
- How do I listen/identify when a program runs in Windows using C++?