'How to send custom info to Win32_processStartTrace events
I'm writing an application that monitors process start and process end for a list of processes I'm interested in. Since Win32_ProcessStartTrace doesn't have a processpath, I'm filtering my events based on processName. Once an event arrives, I want to do a further check using the processPath, to make sure I have caught the right application, and avoid any false positives. How do I get the processPath I'm interested in into my StartProcess_EventArrived method? I have the path before the event is raised, but not when the event arrives. I'm aware of using __InstanceCreationEvent which will allow me to filter on processPath, but I don't want my application to consume CPU because of this being an intrinsic event.
void WaitForProcess()
{
var notePadpath = "C:/users/notepad.exe";
ManagementEventWatcher startWatch = new ManagementEventWatcher(
new WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace where processname = "notepad.exe""));
startWatch.EventArrived
+= new EventArrivedEventHandler(startWatch_EventArrived);
startWatch.Start();
}
// How can I extract the path of my application in the below method? I don't want to use a global variable.
void startWatch_EventArrived(object sender, EventArrivedEventArgs e)
{
try
{
using (var searcher = new ManagementObjectSearcher("SELECT * FROM Win32_Process WHERE ExecutablePath = " + notePadpath))
}
}
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|