C ++:监视Windows中的进程创建和终止 [英] C++: Monitor process creation and termination in Windows
问题描述
我碰巧看到了代码的以下部分这里.
I happened to see the following portion of code here.
$Obj.ExecNotificationQueryAsync($hObj, "SELECT * FROM __InstanceCreationEvent WITHIN 0.5 WHERE TargetInstance ISA 'Win32_Process'")
$Obj.ExecNotificationQueryAsync($hObj, "SELECT * FROM __InstanceDeletionEvent WITHIN 0.5 WHERE TargetInstance ISA 'Win32_Process'")
Switch $OB.Path_.Class
Case "__InstanceCreationEvent"
ConsoleWrite("+~>" & _ProcessGetPath($OB.TargetInstance.ProcessID) & @CR)
Case "__InstanceDeletionEvent"
ConsoleWrite("!~>" & $OB.TargetInstance.ProcessID & @CR)
EndSwitch
我使用相同的WQL
查询来监视C++
中的进程. C++
中是否有类似内容,通过它我可以知道它是进程的创建还是终止.我尝试使用__CLASS
,但是它给出的输出为Win32_Process
.我正在使用MSVS2010
进行编码.
I used the same WQL
queries to monitor processes in C++
. Is there something similar in C++
by which I can know whether it was creation or termination of process. I tried using __CLASS
, but it gives the output as Win32_Process
. I am coding in MSVS2010
.
请帮助.谢谢
修改1:添加WQL查询
EDIT 1: WQL QUERY ADDED
hres = pSvc->ExecNotificationQueryAsync(
_bstr_t("WQL"),
_bstr_t("SELECT * "
"FROM __InstanceDeletionEvent WITHIN 1 "
"WHERE TargetInstance ISA 'Win32_Process' "),
WBEM_FLAG_SEND_STATUS,
NULL,
pStubSink);
hres = pSvc->ExecNotificationQueryAsync(
_bstr_t("WQL"),
_bstr_t("SELECT * "
"FROM __InstanceCreationEvent WITHIN 1 "
"WHERE TargetInstance ISA 'Win32_Process'"),
WBEM_FLAG_SEND_STATUS,
NULL,
pStubSink);
使用上面的代码,我将从IWbemObjectSink :: Indicate方法打印到控制台的进程名称(已创建或已终止).
Using the above code, I get the name of the process, either created or terminated, printed into the console from the IWbemObjectSink::Indicate method.
推荐答案
为了使用单个WQL语句检测进程的创建和终止,您可以像这样使用__InstanceOperationEvent
类.
In order to detect the creation and termination of a process using a single WQL sentence you can use the __InstanceOperationEvent
class like so.
Select * From __InstanceOperationEvent Within 1 Where TargetInstance ISA Win32_Process
然后,如果要确定到达的事件的类型(类),则必须使用__Class
属性.
Then if you want determine the type (class) of the event arrived you must eveluate the __Class
property.
尝试此示例
HRESULT EventSink::Indicate(long lObjectCount,
IWbemClassObject **apObjArray)
{
HRESULT hr = S_OK;
_variant_t vtProp;
for (int i = 0; i < lObjectCount; i++)
{
bool CreateorDel = false;
_variant_t cn;
hr = apObjArray[i]->Get(_bstr_t(L"__Class"), 0, &cn, 0, 0);
if (SUCCEEDED(hr))
{
wstring LClassStr(cn.bstrVal);
if (0 == LClassStr.compare(L"__InstanceDeletionEvent") )
{
wcout << "Deletion" << endl;
CreateorDel = true;
}
else if (0 == LClassStr.compare(L"__InstanceCreationEvent"))
{
wcout << "Creation" << endl;
CreateorDel = true;
}
else
{
CreateorDel = false;
//wcout << "Modification " << endl;
}
}
VariantClear(&cn);
if (CreateorDel)
{
hr = apObjArray[i]->Get(_bstr_t(L"TargetInstance"), 0, &vtProp, 0, 0);
if (!FAILED(hr))
{
IUnknown* str = vtProp;
hr = str->QueryInterface( IID_IWbemClassObject, reinterpret_cast< void** >( &apObjArray[i] ) );
if ( SUCCEEDED( hr ) )
{
_variant_t cn;
hr = apObjArray[i]->Get( L"Name", 0, &cn, NULL, NULL );
if ( SUCCEEDED( hr ) )
{
if ((cn.vt==VT_NULL) || (cn.vt==VT_EMPTY))
wcout << "Name : " << ((cn.vt==VT_NULL) ? "NULL" : "EMPTY") << endl;
else
wcout << "Name : " << cn.bstrVal << endl;
}
VariantClear(&cn);
hr = apObjArray[i]->Get( L"Handle", 0, &cn, NULL, NULL );
if ( SUCCEEDED( hr ) )
{
if ((cn.vt==VT_NULL) || (cn.vt==VT_EMPTY))
wcout << "Handle : " << ((cn.vt==VT_NULL) ? "NULL" : "EMPTY") << endl;
else
wcout << "Handle : " << cn.bstrVal << endl;
}
VariantClear(&cn);
}
}
VariantClear(&vtProp);
}
}
return WBEM_S_NO_ERROR;
}
这篇关于C ++:监视Windows中的进程创建和终止的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!