How to Detect Win32 Process Creation/Termination in C++

How to detect win32 process creation/termination in c++

The only thing I could think of is WMI, not sure if it provides a process creation callback, but it might be worth looking into.

win32 process termination detection: WMI vs. WaitForSingleObject

I've written a process monitoring service before, and used WMI to monitor the processes. It allows you to specifiy a "where" clause of processes to monitor and, as you mentioned, calls you when something has happened.

The advantage of this is that you don't have to have a thread block waiting for the processes in question to exit, but instead can just run your WMI query and wait for the callback when something terminates. The downside is that the WMI API is a bit more wordy then the Win32 API. In particular you have to build up queries as string in WMI.

Is there a system event when a process is created?

Rust can't do anything that the OS doesn't already provide, and Rust doesn't have its own runtime, so you can just use whatever the OS offers.

When there isn't already a crate for some thing, the problem boils down to: How would you do that in C? Find answer to that, and then use Rust's FFI (or some lower-level sys crate like winapi to call that.

WMI detect process creation event - c++

you should add a loop after the call to the ExecNotificationQueryAsyncat the end of the function registerCreationCallback, it can be a forever loop with done condition or you can use a WaitForSingleObject, then create an event and signaled when you want to finish your process, also you should release all the resources allocated.

For get the name of the process started, go to the Indicate function and change this

virtual HRESULT STDMETHODCALLTYPE Indicate(
        LONG lObjectCount,
        IWbemClassObject __RPC_FAR *__RPC_FAR *apObjArray
    ){
        for (int i = 0; i < lObjectCount; i++){
            _variant_t vtProp;
            _variant_t cn;

            hr = apObjArray[i]->Get(_bstr_t(L"TargetInstance"), 0, &vtProp, 0, 0)
            IUnknown* str = vtProp;
            HRESULT hr = str->QueryInterface(IID_IWbemClassObject, reinterpret_cast<void**>(&apObjArray[i]));
            if (SUCCEEDED(hr))
            {
                _variant_t cn;
                hr = apObjArray[i]->Get(L"Name", 0, &cn, NULL, NULL);
                //here is the name of the process
                //cn.bstrVal
                m_callback();
            }
        }

        /* Unregister event sink */
        //you should not unregister the event if you want to receive more notifications, do this after 
        //your forever loop in registerCreationCallback
        //pSvc->CancelAsyncCall(pStubSink);
        return WBEM_S_NO_ERROR;
    }

then you can send de name as a paremeter to your callback

How to detect win32 process creation/termination in c++

The only thing I could think of is WMI, not sure if it provides a process creation callback, but it might be worth looking into.

Using WMI to monitor process creation event

Went back and reviewed this article Example: Receiving Event Notifications Through WMI, and spotted an apparently important difference.

In method CreationEvent::registerCreationCallback(...), replace:

CoInitialize(NULL);

with:

CoInitializeEx(0, COINIT_MULTITHREADED);

detect program termination (C, Windows)

1. Win32

The Win32 API contains a way to do this via the SetUnhandledExceptionFilter function, as follows:

LONG myFunc(LPEXCEPTION_POINTERS p)
{
     printf("Exception!!!\n");     
     return EXCEPTION_EXECUTE_HANDLER;
}

int main()
{
     SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER)&myFunc);    
     // generate an exception !
     int x = 0;
     int y = 1/x;
     return 0;
}

2. POSIX/Linux

I usually do this via the signal() function and then handle the SIGSEGV signal appropriately. You can also handle the SIGTERM signal and SIGINT, but not SIGKILL (by design). You can use strace() to get a backtrace to see what caused the signal.

best method to detect win32 services creation and deletion

SubscribeServiceChangeNotifications() can detect services being added and deleted, using the SC_EVENT_DATABASE_CHANGE event type. This method is available in Windows 8 and later.

NotifyServiceStatusChange() can also detect services being added and deleted, using the SERVICE_NOTIFY_CREATED and SERVICE_NOTIFY_DELETED notify masks. This method is available in Windows Vista and later.

Otherwise, you can monitor the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Registry key for subkey changes, such as with RegNotifyChangeKeyValue() using the REG_NOTIFY_CHANGE_NAME filter. This method is available in Windows 2000 and later.

So, it is not so much about "which approach is best", it is more like "which approach is appropriate for the version of Windows my app is running on". Your app could utilize all 3 approaches. Using dynamic loading via GetProcAddress(), or your compiler's delay-load feature (if it has one), you can check for DLL function existence at runtime and act accordingly. If SubscribeServiceChangeNotifications() exists then use it, otherwise if NotifyServiceStatusChange() exists then use it, otherwise if RegNotifyChangeKeyValue() exists then use it.

---

Related Topics