How to detect when a new process is started?

Question

I want to show a MessageBox if any (not a specific program) new process is running. For example:

Any program is ran
When any program is ran, a MessageBox is shown saying New process!

How is this done?

Sorry for the lack of detail in this question. There isn't really much to add.

Visual Vincent · Accepted Answer

You can use WMI (Windows Management Instrumentation) for this. It provides the Win32_ProcessStartTrace and Win32_ProcessStopTrace events for detecting when a process has been started/terminated.

Before we do anything you need to add a reference to the managed WMI library. Right-click your project in the Solution Explorer and press Add Reference.... Then go to the .NET tab, select System.Management and press OK.

Based on Hans Passant's answer:

Imports System.Management

Public Class Form1

    Dim WithEvents ProcessStartWatcher As New ManagementEventWatcher(New WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace"))
    Dim WithEvents ProcessStopWatcher As New ManagementEventWatcher(New WqlEventQuery("SELECT * FROM Win32_ProcessStopTrace"))

    Private Sub Form1_Load(sender As Object, e As System.EventArgs) Handles MyBase.Load
        ProcessStartWatcher.Start()
        ProcessStopWatcher.Start()
    End Sub

    Private Sub Form1_FormClosing(sender As Object, e As System.Windows.Forms.FormClosingEventArgs)
        ProcessStartWatcher.Stop()
        ProcessStopWatcher.Stop()
    End Sub

    Private Sub ProcessStartWatcher_EventArrived(sender As Object, e As System.Management.EventArrivedEventArgs) Handles ProcessStartWatcher.EventArrived
        Dim ProcessName As String = e.NewEvent.Properties("ProcessName").Value
        Dim PID As Integer = e.NewEvent.Properties("ProcessID").Value

        MessageBox.Show(String.Format("Process ""{0}"" with ID {1} started.", ProcessName, PID))
    End Sub

    Private Sub ProcessStopWatcher_EventArrived(sender As Object, e As System.Management.EventArrivedEventArgs) Handles ProcessStopWatcher.EventArrived
        Dim ProcessName As String = e.NewEvent.Properties("ProcessName").Value
        Dim PID As Integer = e.NewEvent.Properties("ProcessID").Value

        MessageBox.Show(String.Format("Process ""{0}"" with ID {1} stopped.", ProcessName, PID))
    End Sub
End Class

This polls after a couple of seconds, so if you think this is too slow you could poll the __InstanceCreationEvent and __InstanceDeletionEvent events instead, which lets you specify the polling interval:

Const PollingInterval As Double = 2.0 'Seconds.

Dim WithEvents ProcessStartWatcher As New ManagementEventWatcher(New WqlEventQuery("SELECT * FROM __InstanceCreationEvent WITHIN " & PollingInterval & " WHERE TargetInstance ISA 'Win32_Process'"))
Dim WithEvents ProcessStopWatcher As New ManagementEventWatcher(New WqlEventQuery("SELECT * FROM __InstanceDeletionEvent WITHIN " & PollingInterval & " WHERE TargetInstance ISA 'Win32_Process'"))

(...form code...)

Private Sub ProcessStartWatcher_EventArrived(sender As Object, e As System.Management.EventArrivedEventArgs) Handles ProcessStartWatcher.EventArrived
    Dim ProcessName As String = CType(e.NewEvent.Properties("TargetInstance").Value, ManagementBaseObject)("Name")
    Dim PID As Integer = CType(e.NewEvent.Properties("TargetInstance").Value, ManagementBaseObject)("ProcessId")

    MessageBox.Show(String.Format("Process ""{0}"" with ID {1} started.", ProcessName, PID))
End Sub

Private Sub ProcessStopWatcher_EventArrived(sender As Object, e As System.Management.EventArrivedEventArgs) Handles ProcessStopWatcher.EventArrived
    Dim ProcessName As String = CType(e.NewEvent.Properties("TargetInstance").Value, ManagementBaseObject)("Name")
    Dim PID As Integer = CType(e.NewEvent.Properties("TargetInstance").Value, ManagementBaseObject)("ProcessId")

    MessageBox.Show(String.Format("Process ""{0}"" with ID {1} stopped.", ProcessName, PID))
End Sub

IMPORTANT: WMI polling can use a lot of CPU, so don't set too small intervals.

How to detect when a new process is started?

Answers (2)

Related Questions