How to get source and destination PID for process created using WMI?

Question

A process could be spawned using WMI COM, below example of spawning calc.exe in VBS. The parent would be WmiPrvSE.exe that is WMI COM server rather than wscript.exe. The task is to hook below request for process creation.

str = "calc.exe"
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
objProcess.Create str, Null, objConfig, intProcessID

Asynchronous process creation using WMI can be monitored using query:

"SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Post WHERE ObjectPath=\"Win32_Process\" AND MethodName=\"Create\"";

An event is triggered when the above VBS script is executed.But the ManagementEventWatcher receives event that gives useful info only command line:

void OnEventArrived(object sender, System.Management.EventArrivedEventArgs e)
{
string cmdline = e.NewEvent["InputParameters"]["ProcessStartupInformation"]["CommandLine"]
}

and impossible to know that VBS originated the spawning calc.exe. I need source and destination PID, that is "wscript.exe sample.vbs" PID=666 created "calc.exe" PID=667 using WMI. How to do this? Additionally, is there possibility to prevent process creation on MSFT_WmiProvider_ExecMethodAsyncEvent_Pre event?

Answer 1

Try the Process.Id property.

Process[] localByName = Process.GetProcessesByName("notepad");
int i = localByName.Length;
while (i > 0)
{
    // You can use the process Id to pass to other applications or to
    // reference that particular instance of the application.
    Console.WriteLine(localByName[i - 1].Id.ToString());
    i -= 1;
}

Otherwise, if you need to enumerate using a different property, check them out here .