Truncated ProcessName in Win32_ProcessStartTrace query

Question

I'm using this code to monitor process:

var startWatch = new ManagementEventWatcher(
    "SELECT * FROM Win32_ProcessStartTrace");
startWatch.EventArrived += startWatch_EventArrived;
startWatch.Start();

var stopWatch = new ManagementEventWatcher(
    "SELECT * FROM Win32_ProcessStopTrace");
stopWatch.EventArrived += stopWatch_EventArrived;
stopWatch.Start();

Problem is - ProcessName property is truncated to 14 chars in both callbacks.

var name = e.NewEvent.Properties["ProcessName"].Value.ToString();

Both processes (monitor and monitored) are x64 .NET console apps.

Anybody have any idea what might be the cause?

Answer 1

Use __InstanceCreationEvent/__InstanceDeletionEvent instead

Example

var startWatch = new ManagementEventWatcher(
    "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'");
startWatch.EventArrived += startWatch_EventArrived;
startWatch.Start();

var stopWatch = new ManagementEventWatcher(
    "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'");
stopWatch.EventArrived += stopWatch_EventArrived;
stopWatch.Start();

Event example

// e.NewEvent now have only 3 properties, we should focus on TargetInstance property
var targetInstance = (ManagementBaseObject) e.NewEvent["TargetInstance"];
// TargetInstance has more than 40 properties, some properties can be null
var name = targetInstance["Name"]?.ToString();

Tested on .NET Core 3.1 with System.Management NuGet package.

Before

// Win32_ProcessStartTrace
"League of Legends.exe"
// Win32_ProcessStopTrace
"League of Le" // How can this happen??? Like how???

After

// __InstanceCreationEvent
"League of Legends.exe"
// __InstanceDeletionEvent
"League of Legends.exe"