如何在 Windows 中监视进程/程序执行?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/510372/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to monitor process/program execution in windows?
提问by Niyaz
We are trying to develop a small application that can monitor the programs/processes that are executing in a windows machine.
我们正在尝试开发一个小应用程序,它可以监视在 Windows 机器中执行的程序/进程。
If the program/process is not supposed to run, it should be blocked. It works similar to an antivirus.
如果程序/进程不应该运行,它应该被阻止。它的工作原理类似于防病毒软件。
This is the basic idea.
这是基本思想。
I want to know the ways to hook into the OS to get notified about every single program/process trying to run in the machine.
我想知道如何连接到操作系统以获得有关尝试在机器中运行的每个程序/进程的通知。
回答by Rob Haupt
The easiest way is to use WMI. Specifically monitor the Win32_ProcessStartTrace. This is better than Win32_Process, because it is setup to use events whereas Win32_Process requires polling which is more CPU intensive. Below is how to do it in C#. First make sure that System.Management is setup as a reference for your project.
最简单的方法是使用 WMI。具体监控 Win32_ProcessStartTrace。这比 Win32_Process 更好,因为它被设置为使用事件,而 Win32_Process 需要轮询,这会占用更多 CPU。下面是如何在 C# 中做到这一点。首先确保将 System.Management 设置为您的项目的参考。
public System.Management.ManagementEventWatcher mgmtWtch;
public Form1()
{
InitializeComponent();
mgmtWtch = new System.Management.ManagementEventWatcher("Select * From Win32_ProcessStartTrace");
mgmtWtch.EventArrived += new System.Management.EventArrivedEventHandler(mgmtWtch_EventArrived);
mgmtWtch.Start();
}
void mgmtWtch_EventArrived(object sender, System.Management.EventArrivedEventArgs e)
{
MessageBox.Show((string)e.NewEvent["ProcessName"]);
}
private void Form1_FormClosing(object sender, FormClosingEventArgs e)
{
mgmtWtch.Stop();
}
The code will generate a messagebox everytime you launch a new process. From there you can check a whitelist/blacklist and act appropriately.
每次启动新进程时,代码都会生成一个消息框。从那里您可以检查白名单/黑名单并采取适当的行动。
回答by amazedsaint
I havn't tried geting real-time notification. How ever, Here is how to get running processes in C#
我还没有尝试获得实时通知。但是,这里是如何在 C# 中获取正在运行的进程
using System.Diagnostics;
//Somewhere in your method
Process[] runningList = Process.GetProcesses();
foreach(Process p in runningList){
Console.WriteLine("Process: {0} ID: {1}", p.ProcessName, p.Id);
}
You can also use the following props of a process
您还可以使用以下道具的过程
- StartTime - Shows the time the process started
- TotalProcessorTime - Shows the amount of CPU time the process has taken
- Threads - gives access to the collection of threads in the process
- StartTime - 显示进程开始的时间
- TotalProcessorTime - 显示进程占用的 CPU 时间
- 线程 - 允许访问进程中的线程集合
回答by Stefan
I would check up the Win32-api SetWindowsHookExwith the constant WH_GETMESSAGE to add a callback to your program when a new window is being created.
我会检查 Win32-api SetWindowsHookEx与常量 WH_GETMESSAGE 以在创建新窗口时向您的程序添加回调。
http://pinvoke.net/default.aspx/user32.SetWindowsHookEx
http://pinvoke.net/default.aspx/user32.SetWindowsHookEx
Google that API and WH_GETMESSAGE to find out more.
谷歌那个 API 和 WH_GETMESSAGE 以了解更多信息。
Also check out the following articles/code librarys: http://www.vbaccelerator.com/home/Vb/Code/Libraries/Hooks/vbAccelerator_Hook_Library/article.asp
另请查看以下文章/代码库:http://www.vbaccelerator.com/home/Vb/Code/Libraries/Hooks/vbAccelerator_Hook_Library/article.asp
