Menu
Hey there, Is there a way to raise event when a new process is started without using the ManagementEventWatcher, and without using the Process.GetProcesses()? The problem with ManagementEventWatcher is that the user needs to have high premmisions. Thank you!!!
217
Unlike the extrinsic event Win32_ProcessStartTrace that you are currently using, the __InstanceCreationEvent and __InstanceDeletionEvent WMI intrinsic events do not require administrator rights.
Here's a sample query you can use to track process starts:
SELECT TargetInstance
FROM __InstanceCreationEvent WITHIN 1
WHERE TargetInstance ISA 'Win32_Process'
AND TargetInstance.Name LIKE '<your process name.exe>'
Further info: Process Information and Notifications using WMI
Because these are intrinsic events, WMI ultimately mimics event behaviour by means of polling, and will check for new events only periodically (here, every 1 second). Decreasing the WITHIN duration to fractions of seconds will give you faster response at the expense of CPU usage.
71
It should be possible to figure out when an application was last run by configuring audit process tracking in Windows. The following links might get you started:
Audit process tracking
How can I track what programs come and go on my machine?
The process tracking will create entries in the Windows event log which you can then access using C#.
Ref: .NET Process Monitor
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
