Windows资源监视器使用哪些win32函数来检测终止进程的磁盘和netwrork活动？ [英] Which win32 functions used by windows resource monitor to detect both disk and netwrork activties for terminated process?

问题描述

在Windows资源监视器中有四个选项卡 - CPU，MEMORY，DISK，NETWORK此程序向我们显示每个进程及其各自的PID（进程ID），这些进程涉及磁盘驱动器和网络的I / O活动。



问题

我使用Win32编程加Visual C ++（Visual Studio）.I创建了一个进程（使用CreateProcess函数）VBS3_64.exe，假设我不知道它的内部行为，在我的程序中我的唯一目的是创建该进程，让它执行几分钟并使用Terminate或SendMessage终止它功能。在我逐步终止该进程后，Windows资源监视器显示已终止状态（灰色）上的CPU和内存使用情况，但磁盘活动和网络活动此时都在运行（黑色）几分钟。甚至Windows任务管理器都没有显示进程。



我使用Win32函数来检查进程是否仍然在系统上运行，即使它被称为终止或强制终止但是所有这些功能都给了我相同的结果。但只有资源监视器检测到它的清理 - 磁盘活动和网络活动。





< big> 问题

1.如何终止进程仍然在后台运行它的清理工作，只有资源监视器检测到它的各自的PID？

2.哪些Win32函数可以帮助我们检测这样的过程？ （资源监视器正在使用哪些Win32函数来检测终止进程的后台/清理活动）。



请参考我在MSDN上询问的以下问题： - < a href =MSDN％20LINk> [ ^ ]



我尝试了什么：



我试图通过以下方式获取Process及其I / O活动的状态Win32函数：

In Windows Resource Monitor there are four tabs - CPU,MEMORY,DISK,NETWORK This program shows us every process with their respective PID(process ID) which are involving with I/O activities with disk drives and network.

Issue
I am using Win32 Programming plus Visual C++(Visual Studio).I created a process(Using CreateProcess function) "VBS3_64.exe",suppose that I don't know it's internal behavior,In my program my only intention was to create that process,let it execute for several minutes and Terminate it using Terminate or SendMessage functions. After I terminate that process progrmatically Windows Resource monitor shown that both CPU and Memory usage on "Terminated" state(gray color) but both Disk activity and Network activity were running(black color) at the moment for several minutes. Even Windows Task Manager did not show that Process.

I used Win32 functions to check whether that the process still running on the system even it get called Terminate or force kill but all of those function given me the same result.But only Resource Monitor detects its clean up -Disk activities and Network activities.


Question
1.How terminated process still Run in background for its cleanup stuff and only Resource Monitor detects it with its respective PID ?
2.Which Win32 functions helps us to detect such Process ? (which Win32 functions is being used by Resource Monitor to detect background/clean up activities of Terminated process).

Please refer following question that I asked on MSDN :- [^]

What I have tried:

I tried to get status of Process and it's I/O activities through following Win32 Functions:

DWORD pid = 14216;
	HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
	HPSS snapShot;
	PSS_PROCESS_INFORMATION info;
	PSS_PERFORMANCE_COUNTERS  traceInfo;
	BOOL status = STILL_ACTIVE;
	do
	{
		auto ret = PssCaptureSnapshot(process, PSS_CAPTURE_HANDLES | PSS_CREATE_MEASURE_PERFORMANCE, NULL, &snapShot);
		if (ret == ERROR_SUCCESS)
		{
			std::cout << "SnapShot okey" << std::endl;
			ret = PssQuerySnapshot(snapShot, PSS_QUERY_PROCESS_INFORMATION, &info, sizeof(info));
			if (ret == ERROR_SUCCESS)
			{
				status = info.ExitStatus;
				std::cout << status << std::endl;
				std::cout << info.PebBaseAddress << std::endl;
			}
			ret = PssQuerySnapshot(snapShot, PSS_QUERY_PERFORMANCE_COUNTERS, &traceInfo, sizeof(traceInfo));
			if (ret == ERROR_SUCCESS)
			{
				std::cout << "Cycles:" << traceInfo.TotalCycleCount << std::endl;
			}
		};

	} while (status == STILL_ACTIVE);

和

And

IO_COUNTERS counters;
while (process && GetProcessIoCounters(process, &counters))
{
    std::cout << "Read operations: " << counters.ReadOperationCount << std::endl;
    std::cout << "Read Transfers: " << counters.ReadTransferCount << std::endl;
    CloseHandle(process);
    Sleep(1000);
    process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
}

推荐答案

您在MSDN论坛上获得的答案不正确。



Windows资源监视器主要使用 Windows事件跟踪（ETW） [ ^ ]。



对于磁盘i / o，请查看 DiskIO类 [ ^ ]这是资源监视器使用的内容。您可能需要使用 FileIo类 [ ^ ]获取文件名并调用线程ID。



WMI [ ^ ]建立在ETW之上。您也可以从WMI 获取此数据（内部使用获取计数器读取ETW跟踪 [ ^ ]。



事件跟踪MOF类 [ ^ ]



再次...... WMI建立在ETW之上，您可能更喜欢从WMI获取此数据。您的选择。



祝福，

-David Delaune

Hi,

The answers you are getting on the MSDN forum are incorrect.

The Windows Resource Monitor is mostly using Event Tracing for Windows (ETW)[^].

For disk i/o check out the DiskIO class[^] which is what the resource monitor uses. You may need to use the FileIo class[^] to get the filename and calling thread id.

WMI[^] is built on top of ETW. You can also get this data from WMI (which internally reads an ETW trace) by utilizing Get-Counter[^].

Event Tracing MOF Classes[^]

Again... WMI is built on top of ETW and you may prefer to get this data from WMI. Your choice.

Best Wishes,
-David Delaune

这篇关于Windows资源监视器使用哪些win32函数来检测终止进程的磁盘和netwrork活动？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！