Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

System Event Watcher

21 views
Skip to first unread message

Alireza Haghshenass

unread,
Aug 18, 2004, 2:08:38 AM8/18/04
to
Hi Evenrybody,
I just wanted to know whether there is a way to get system events(, for
example when a process starts or when a process ends , I want an event to
be raised whithin my program to get the started or ended process or any
other events in the system) or not? I just need something like file system
watcher class to watch for an specific event in the system.
Yours truly,
Alireza

Imran Koradia

unread,
Aug 18, 2004, 2:11:40 PM8/18/04
to
Alireza,

If you are talking about shell events, then you'll need to do that with
windows hooks and subclassing. Again, since we are talking about the shell
events, you will need to install a system level hook rather than a thread
hook (which can be used to monitor events within one's application only).
According to MS, global hooks are not supported in the .net framework.
Here's a link:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q319524
read the end paragraph where MS mentions that global hooks are not supported
in the .net framework.
However, from the MSDN document:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks.asp
mouse and keyboard global hooks are not implemented the way other global
hooks are implemented - that is, while for other global hooks, the installed
hook is injected into every running process, such code 'injection' is not
done for mouse and keyboard hooks.
But again, what you are looking for is neither of the above two which means
it looks as if you're going to have to write a dll in unmanaged code to
implement the hook. Atleast that is what I understood after doing a whole
lot research on the web. But - yes another 'but' - looks like you're at
luck. Just a few days back, I wrote a piece of code in VB .NET that
implements this same functionality - that is, monitoring when a process is
created or destroyed. take a look at the solution here:
http://www.experts-exchange.com/Programming/Programming_Languages/Dot_Net/VB_DOT_NET/Q_21083100.html

The above link monitors for the HSHELL_WINDOWACTIVATED message - that is
when any window has been activated in the shell. You need to simply change
that to monitor for HSHELL_WINDOWCREATED and HSHELL_WINDOWDESTROYED
messages to determine whether a new process has been created or destroyed.
You can look here to figure out what the shell event constants are:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/WinUI/WindowsUserInterface/Windowing/Hooks/HookReference/HookFunctions/ShellProc.
asp

the constant values are defined in WinUser.h which is included with either
the entire VS .NET installation (somewhere under the Vc7 under your VS .NET
installation) or it is also included in the windows platform sdk which you
can download for free from here:
http://www.microsoft.com/msdownload/platformsdk/sdkupdate/

hope this helps..
Imran.

"Alireza Haghshenass" <alire...@yahoo.co.uk> wrote in message
news:%23gilhnO...@TK2MSFTNGP10.phx.gbl...

Willy Denoyette [MVP]

unread,
Aug 18, 2004, 4:18:29 PM8/18/04
to
One way to achieve this is using System.Management and WMI Win32_Process
class __InstanceCreationEvent and __InstanceDeletionEvent.

Here's a sample:

using System;
using System.Management;

namespace ConsoleApplication1
{
class Sample_ManagementEventWatcher
{
[MTAThread]
public static int Main(string[] args)
{
MyHandler mh;
EventArrivedEventHandler eventArrivedEventHandler;
ManagementEventWatcher watcher1;
ManagementEventWatcher watcher2;
mh = new MyHandler();
eventArrivedEventHandler = new
EventArrivedEventHandler(mh.Win32ProcArrived);
watcher1 =
Sample_ManagementEventWatcher.GetWatcher("__InstanceCreationEvent");
watcher1.EventArrived += eventArrivedEventHandler;
watcher1.Start();
eventArrivedEventHandler = new
EventArrivedEventHandler(mh.Win32ProcArrived);
watcher2 =
Sample_ManagementEventWatcher.GetWatcher("__InstanceDeletionEvent");
watcher2.EventArrived += eventArrivedEventHandler;
watcher2.Start();
Console.WriteLine("press <enter> to stop...");
Console.ReadLine();
watcher1.Stop();
watcher1.EventArrived -= eventArrivedEventHandler;
watcher2.Stop();
watcher2.EventArrived -= eventArrivedEventHandler;
return 0;
}

public static ManagementEventWatcher GetWatcher(string WatcherType)
{
string wql = WatcherType;
WqlEventQuery EventQuery = new WqlEventQuery(wql,
new TimeSpan(0,0,3),"TargetInstance ISA 'Win32_Process'"); // NOTE that
short running Process events may be lost
ManagementEventWatcher watcher = new ManagementEventWatcher( EventQuery);
return watcher;
}
}

public class MyHandler
{

public void Win32ProcArrived(object sender, EventArrivedEventArgs e) {
//Get the Event object and display all properties
foreach(PropertyData pd in e.NewEvent.Properties) {
ManagementBaseObject mbo = null;
if(( mbo = pd.Value as ManagementBaseObject) != null) {
Console.WriteLine("--------------Properties------------------");
foreach(PropertyData prop in mbo.Properties)
Console.WriteLine("{0} - {1}", prop.Name, prop.Value);
}
}
}
}
}

Willy.

"Alireza Haghshenass" <alire...@yahoo.co.uk> wrote in message
news:%23gilhnO...@TK2MSFTNGP10.phx.gbl...

Alireza Haghshenass

unread,
Aug 19, 2004, 1:38:30 AM8/19/04
to
Dear Willy,
Really Thank you for your help, this really helped, You know I created a
class with a timer. When the timer elapsed it checked the old collection and
new collection for new and terminated processes. It took a lot of time (in
ms) and cpu process. Your solution is much much much better.
Really thank you for your cooperation and kindness.
Yours truly,
Alireza
"Willy Denoyette [MVP]" <willy.d...@pandora.be> wrote in message
news:OM$KKCWhE...@TK2MSFTNGP11.phx.gbl...

Alireza Haghshenass

unread,
Aug 19, 2004, 1:43:59 AM8/19/04
to
Dear Will
Where can I find a document for the list of such events which I can access.
Thanx

"Willy Denoyette [MVP]" <willy.d...@pandora.be> wrote in message
news:OM$KKCWhE...@TK2MSFTNGP11.phx.gbl...

Daniel Pravat [MSFT]

unread,
Aug 23, 2004, 12:45:53 AM8/23/04
to
In Windows XP and Windows Server,
select * from Win32_ProcessStartTrace
and
select * from Win32_ProcessStopTrace
are much better.

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Alireza Haghshenass" <alire...@yahoo.co.uk> wrote in message

news:OAFFb%23ahEH...@TK2MSFTNGP12.phx.gbl...

Willy Denoyette [MVP]

unread,
Aug 23, 2004, 7:49:40 AM8/23/04
to
Check the Platform SDK docs in MSDN, for details on WMI event handling.
And as Daniel correctly stated in his reply, it's better to use
Win32_ProcessStartTrace when available (XP and W2K3 only).
Here's a small working sample:

using System;
using System.Management;
public class ProcessEvent
{
public void Run()
{
ManagementEventWatcher w = null;
ManagementOperationObserver observer = new ManagementOperationObserver();
WqlEventQuery q = new WqlEventQuery();
q.EventClassName = "Win32_ProcessStartTrace";
w = new ManagementEventWatcher( q);
w.EventArrived += new
EventArrivedEventHandler(this.ProcStartEventArrived);
w.Start();
}
private void ProcStartEventArrived(object sender, EventArrivedEventArgs e)
{
//Get the Event object and display it
foreach(PropertyData pd in e.NewEvent.Properties) {
Console.WriteLine("\n======================================");
Console.WriteLine("{0},{1}",pd.Name, pd.Value);
}
}
}
class WMIEvent {
[STAThread]
public static void Main() {
try
{
ProcessEvent procEvnt = new ProcessEvent();
procEvnt.Run();
Console.ReadLine(); // block main thread for test purposes
}
catch (Exception e)
{
Console.WriteLine(e);
}
}
}

Willy.

"Alireza Haghshenass" <alire...@yahoo.co.uk> wrote in message

news:OAFFb%23ahEH...@TK2MSFTNGP12.phx.gbl...

0 new messages