检测Windows进程的启动和退出事件

检测Windows进程的启动和退出事件

本文介绍了在没有WMI的情况下使用C#检测Windows进程的启动和退出事件的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

使用WMI的ManagementEventWatcher/EventArrivedEventHandler将导致创建另一个我要避免的线程.WMI也知道它的延迟.
所以我的问题是:如何在没有WMI的情况下使用C#检测Windows进程的创建/终止?有没有办法从非托管代码做到这一点?

Using WMI's ManagementEventWatcher/EventArrivedEventHandler will result in creating another thread which I'm trying to avoid. WMI also is knowing for its delay.
So my question is : how can I detect Windows process creation/termination with C# without WMI ? is there a way to do this from unmanaged code ?

推荐答案

您可以使用 Windows事件跟踪(ETW).具体来说,您要查看内核事件跟踪器.

You can use Event Tracing for Windows (ETW). Specifically, you want to look at subclasses of the Process class in the kernel event tracer.

我从未在托管代码中使用过它,但是此博客文章看起来很有用.

I haven't ever used this from managed code, but this blog post looks useful.

我不知道这是否会在您的进程中创建额外的线程.

And I don't know if this creates extra threads in your process.

总而言之,您不需要WMI来监视过程事件.您可以改用ETW,但我不知道它是否完全符合您的要求.

In summary, you don't need WMI to monitor process events. You can use ETW instead but I don't know if it exactly meets your requirements.

这篇关于在没有WMI的情况下使用C#检测Windows进程的启动和退出事件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-20 06:14