如何在 Windows 中监视进程/程序执行? [英] How to monitor process/program execution in windows?
问题描述
我们正在尝试开发一个小型应用程序,它可以监控在 Windows 机器中执行的程序/进程.
We are trying to develop a small application that can monitor the programs/processes that are executing in a windows machine.
如果程序/进程不应该运行,它应该被阻止.它的工作原理类似于防病毒软件.
If the program/process is not supposed to run, it should be blocked. It works similar to an antivirus.
这是基本思路.
我想知道如何连接到操作系统以获取有关尝试在机器中运行的每个程序/进程的通知.
I want to know the ways to hook into the OS to get notified about every single program/process trying to run in the machine.
推荐答案
最简单的方法是使用 WMI.具体监控 Win32_ProcessStartTrace.这比 Win32_Process 更好,因为它被设置为使用事件,而 Win32_Process 需要轮询,这会占用更多 CPU.下面是如何在 C# 中做到这一点.首先确保将 System.Management 设置为您的项目的参考.
The easiest way is to use WMI. Specifically monitor the Win32_ProcessStartTrace. This is better than Win32_Process, because it is setup to use events whereas Win32_Process requires polling which is more CPU intensive. Below is how to do it in C#. First make sure that System.Management is setup as a reference for your project.
public System.Management.ManagementEventWatcher mgmtWtch;
public Form1()
{
InitializeComponent();
mgmtWtch = new System.Management.ManagementEventWatcher("Select * From Win32_ProcessStartTrace");
mgmtWtch.EventArrived += new System.Management.EventArrivedEventHandler(mgmtWtch_EventArrived);
mgmtWtch.Start();
}
void mgmtWtch_EventArrived(object sender, System.Management.EventArrivedEventArgs e)
{
MessageBox.Show((string)e.NewEvent["ProcessName"]);
}
private void Form1_FormClosing(object sender, FormClosingEventArgs e)
{
mgmtWtch.Stop();
}
每次启动新进程时,代码都会生成一个消息框.从那里您可以检查白名单/黑名单并采取适当的行动.
The code will generate a messagebox everytime you launch a new process. From there you can check a whitelist/blacklist and act appropriately.
这篇关于如何在 Windows 中监视进程/程序执行?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!