检测Windows进程使用C#启动和退出事件而不使用WMI
[英]Detect Windows processes start and exit events with C# without WMI
问题描述
Using WMI's ManagementEventWatcher/EventArrivedEventHandler will result in creating another thread which I'm trying to avoid. 
使用WMI的ManagementEventWatcher / EventArrivedEventHandler将导致创建另一个我想避免的线程。 WMI also is knowing for its delay. WMI也知道它的延迟。
So my question is : how can I detect Windows process creation/termination with C# without WMI ? 所以我的问题是:如何在没有WMI的情况下使用C#检测Windows进程创建/终止? is there a way to do this from unmanaged code ? 有没有办法从非托管代码执行此操作?
2 个解决方案
解决方案1
3 2014-03-24 22:01:42
You can use Event Tracing for Windows (ETW). 您可以使用Windows事件跟踪 (ETW)。 Specifically, you want to look at subclasses of the Process class in the kernel event tracer . 具体来说,您希望在内核事件跟踪器中查看Process类的子类 。
I haven't ever used this from managed code, but this blog post looks useful. 我从未在托管代码中使用过此代码,但此博客文章看起来很有用。
And I don't know if this creates extra threads in your process. 而且我不知道这是否会在您的流程中创建额外的线程。
In summary, you don't need WMI to monitor process events. 总之,您不需要WMI来监视进程事件。 You can use ETW instead but I don't know if it exactly meets your requirements. 您可以使用ETW,但我不知道它是否完全符合您的要求。
解决方案2
2 2014-03-02 20:13:07
To the best of my knowledge, the only supported way to subscribe to process create/destroy events is through WMI. 据我所知,订阅流程创建/销毁事件的唯一支持方式是通过WMI。 I think you are rejecting the option of polling, in which case it is either WMI, or bust. 我认为你拒绝选择投票,在这种情况下,它是WMI或破产。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.