如何监视Windows中的进程/程序执行？ [英] How to monitor process/program execution in windows?

问题描述

我们正在尝试开发一个可以监控在Windows机器中执行的程序/进程的小型应用程序。

We are trying to develop a small application that can monitor the programs/processes that are executing in a windows machine.

如果程序/进程不应该运行，应该被阻止。它的工作方式类似于防病毒软件。

If the program/process is not supposed to run, it should be blocked. It works similar to an antivirus.

这是基本思路。

我想知道如何钩入操作系统，以获得有关在计算机中运行的每个程序/进程的通知。

I want to know the ways to hook into the OS to get notified about every single program/process trying to run in the machine.

推荐答案

最简单的方法是使用WMI。特别监视Win32_ProcessStartTrace。这比Win32_Process更好，因为它被设置为使用事件，而Win32_Process需要更多CPU密集型的轮询。下面是如何在C＃中执行。首先确保System.Management被设置为您的项目的参考。

The easiest way is to use WMI. Specifically monitor the Win32_ProcessStartTrace. This is better than Win32_Process, because it is setup to use events whereas Win32_Process requires polling which is more CPU intensive. Below is how to do it in C#. First make sure that System.Management is setup as a reference for your project.

    public System.Management.ManagementEventWatcher mgmtWtch;

    public Form1()
    {
        InitializeComponent();
        mgmtWtch = new System.Management.ManagementEventWatcher("Select * From Win32_ProcessStartTrace");
        mgmtWtch.EventArrived += new System.Management.EventArrivedEventHandler(mgmtWtch_EventArrived);
        mgmtWtch.Start();
    }

    void mgmtWtch_EventArrived(object sender, System.Management.EventArrivedEventArgs e)
    {
        MessageBox.Show((string)e.NewEvent["ProcessName"]);
    }

    private void Form1_FormClosing(object sender, FormClosingEventArgs e)
    {
        mgmtWtch.Stop();
    }

代码将在每次启动新进程时生成一个消息框。从那里你可以查看一个白名单/黑名单并采取适当行动。

The code will generate a messagebox everytime you launch a new process. From there you can check a whitelist/blacklist and act appropriately.

这篇关于如何监视Windows中的进程/程序执行？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！