使用WMI的进程启动事件-并非所有进程启动都被检测到 [英] Process Start Event Using WMI - Not All Process Starts Being Detected
问题描述
我正在Windows服务(以NT_AUTHORITY\SYSTEM运行)中使用以下C#代码创建事件处理程序,以接收流程创建事件(使用WMI和WQL):
I am using the following C# code in a Windows Service (which runs as NT_AUTHORITY\SYSTEM) to create an event handler for receiving process creation events (using WMI and WQL):
string queryString = "SELECT * FROM Win32_ProcessStartTrace";
ManagementEventWatcher watcher = new ManagementEventWatcher(new WqlEventQuery(queryString));
watcher.EventArrived += new EventArrivedEventHandler(ProcessStartEvent);
watcher.Start();
在ProcessStartEvent中:
int processId = int.Parse(e.NewEvent.Properties["ProcessId"].Value.ToString());
Process proc = Process.GetProcessById(processId);
Out("Received process: " + proc.ProcessName);
我遇到的问题是(出于某种奇怪的原因)并非每个进程启动都被捕获并由程序报告.如果我同时启动大约6个进程,则输出中可能不会出现一个进程.
The problem I'm having is that (for some strange reason) not every process start is captured and reported by the program. If I start about 6 processes simultaneously, one may not show up in the output.
我已经尝试了一些有关使用WMI捕获流程创建事件的研究,但是可用信息有限.我已经看到,也可以使用类似于以下内容的方法来捕获过程开始:
I've tried to do some research on capturing process creation events using WMI, but there is limited information available. I've seen that it is also possible to capture process starts using something similar to:
SELECT TargetInstance
FROM __InstanceCreationEvent
WITHIN 2
WHERE TargetInstance ISA 'Win32_Process'
(如此堆栈溢出答案所示)
使用__InstanceCreationEvent和Win32_ProcessStartTrace有什么主要区别?这可能是我遇到问题的原因吗?
Are there any major differences between using __InstanceCreationEvent and Win32_ProcessStartTrace? Could this be the cause of my problems?
关于为什么我没有收到 all 进程开始的事件的解释吗?我在这儿做错了吗?
Is there an explanation as to why I'm not receiving events for all process starts? Is there something more obvious that I'm doing wrong here?
推荐答案
两种方法均有效,但以不同的方式起作用.
Both methods are valid but works in differents ways.
当您使用 __InstanceCreationEvent 您正在使用 intrinsic 事件,这意味着您正在监视标准WMI数据模型中的更改(这类似于表中的触发器).
When you uses the __InstanceCreationEvent WMI class you are using a intrinsic event which means which you are monitoring changes in the standard WMI data model (this works like a trigger in a table).
当您使用 Win32_ProcessStartTrace 您使用的是外部事件,这意味着您正在使用为特定任务创建的专用事件类,在这种情况下,请监视流程的创建.
When you uses the Win32_ProcessStartTrace you are using a Extrinsic event that means you are using a specialized event class made for a specific task in this case monitor the process creation.
Now back to your issue, the best way to avoid the "lost" of some events is creating a permanent event consumer.
这篇关于使用WMI的进程启动事件-并非所有进程启动都被检测到的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
