Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Detect new process without polling or DLL

10 views
Skip to first unread message

Jugdish

unread,
Feb 4, 2007, 10:11:56 PM2/4/07
to
I need to be able to detect when another process is started, and I'd
prefer to avoid any sort of polling of the running processes. One
method I read about is using PsSetCreateProcessNotifyRoutine() to
detect process execution, and other method involves
SetWindowsHookEx(), using a system-wide WH_SHELL hook to identify when
the top-level window of the process gets created. However, both of
these methods involve writing a DLL, and I've gone out of my way in
the past to keep my project completely self-contained and not
dependent on any DLLs, so neither of these methods really appeal to
me.

So my question is if there is any way to detect the creation of a new
process (or creation of a new top-level window) without polling or DLL
dependencies?

Thanks

Sten Westerback (MVP SDK)

unread,
Feb 5, 2007, 1:53:08 AM2/5/07
to

"Jugdish" <daneb...@gmail.com> wrote in message
news:1170645116....@v33g2000cwv.googlegroups.com...

Sure, you can make a user interface which ones a second or so pops up a
window asking the user if the process has started. ;)

But in reality, no, you need to poll or get notified. Writing a DLL
shouldn't be any bigger issue, if you feel like distributing your tool
without installation app, without separate documentation and not even
zipped, then you still have the option of the EXE storing the DLL as a
Resource which you extract to the same folder whenever needed.

-Sten


James Brown

unread,
Feb 5, 2007, 3:52:20 AM2/5/07
to
"Sten Westerback (MVP SDK)" <REMOVE_IF_NOSPAM_e...@nokia.com>
wrote in message news:ovAxh.47511$Nb2.9...@news1.nokia.com...

The sSetCreateProcessNotifyRoutine is actually a kernel function, so writing
a device-driver would be in order. But it is still the neatest way to do
things imo. see www.catch22.net/tuts/kernel1.asp for information and a
sample EXE that drops+installs a driver from its resources.

James
www.catch22.net

Patrick v. Harsdorf

unread,
Feb 5, 2007, 12:04:21 PM2/5/07
to
"James Brown" <em...@viahomepage.com> wrote in message
news:sfadnd6TvaPbbVvY...@pipex.net...

> The sSetCreateProcessNotifyRoutine is actually a kernel function, so
> writing a device-driver would be in order. But it is still the neatest way
> to do things imo. see www.catch22.net/tuts/kernel1.asp for information
> and a sample EXE that drops+installs a driver from its resources.
>
> James
> www.catch22.net
>

Jugdish, you don't want to write a driver for this. Some reasons to avoid
drivers if not necessary include:
- programming and debugging is completely different to what you are used to
- it will not work on 64 bit Vista
- it might not work on Vista at all
- a programming error will cause your customers' machine to bluescreen/lose
data instead of just your program crashing
- there are just so many fascinating ways to shoot yourself in the foot with
drivers

Use polling only if you don't have to poll more frequently than say, every
half a second. And use a low priority thread for that. The toolhelp-API is
slow. If half a second is too much delay, I guess you need an extra file.

And if you need an extra file, go for the DLL. If you are really looking for
processes that have windows, go for the hook. If what you you are looking
for is all the processes, even if they open no windows, this is what I
recommend: Read about the registry key Appinit_DLLs
(http://support.microsoft.com/kb/197571). If you register your DLL there, it
will be magically loaded into every new process that is created and its
DLLMain() function is called. It can then notify your main program or do
whatever you do when a new process is created.

Greetings
Patrick


0 new messages