C# Raise an event when a new process starts

Question

Hey there, Is there a way to raise event when a new process is started without using the ManagementEventWatcher, and without using the Process.GetProcesses()? The problem wi

Answer 1

It should be possible to figure out when an application was last run by configuring audit process tracking in Windows. The following links might get you started:

Audit process tracking

How can I track what programs come and go on my machine?

The process tracking will create entries in the Windows event log which you can then access using C#.

Ref: .NET Process Monitor

Answer 2

Strange thing is an application does not need to create a window in windows. Create process may not belong to the window-station that you work on. You will need to find windows of that process anyway, and you will also need to detect new and closed windows of all processes.

So enumerating windows is much cleaner/easier choice.

Try EnumChildWindows function on desktop handle (retrieved by GetDesktopWindow) to find top level windows of applications. use GetWindowThreadProcessId and EnumThreadWindows on obtained handles to detect sub windows of windows.

A low priority thread will do the job.

Answer 3

You can probably use EnumDesktopWindows from user32.dll, you will get all the window handles, you can check the title of the window using GetWindowText, and type of window using GetClassName.

That way you can hide the hint or treasure anywhere. (because you will get handles of all the windows (and controls)).

See if this class will be useful to you Managed Global Hook for Window Creation and Destruction

On that article, someone has created nice class with easy to attach events, You can run that code without elevating privileges.

Once you get the window (control) handle, you can add text or draw image on it for hints.

Answer 4

Unlike the extrinsic event Win32_ProcessStartTrace that you are currently using, the __InstanceCreationEvent and __InstanceDeletionEvent WMI intrinsic events do not require administrator rights.

Here's a sample query you can use to track process starts:

SELECT TargetInstance 
  FROM __InstanceCreationEvent WITHIN 1 
 WHERE TargetInstance ISA 'Win32_Process' 
   AND TargetInstance.Name LIKE '<your process name.exe>'

Further info: Process Information and Notifications using WMI

Because these are intrinsic events, WMI ultimately mimics event behaviour by means of polling, and will check for new events only periodically (here, every 1 second). Decreasing the WITHIN duration to fractions of seconds will give you faster response at the expense of CPU usage.