Monitor process start in the system

by

There’s a few ways to do this. If you only need to track process creation coming from a specific program (or a few programs), the EasyHook/Detours method mentioned here will work pretty well, but you effectively need to install a hook on CreateProcess into each program, so it’s not a great solution if you want to track all process creation in the system.

There’s a specific API for this in NT-based Windows variants (NT/2000/XP/Vista) called PsSetCreateProcessNotifyRoutine(). Unfortunately, you can only call this function from ring0, so it needs to be done in a driver. There’s a handy explanation (and code) in this CodeProject article: http://www.codeproject.com/KB/threads/procmon.aspx.

AFAIK, this is just a notification, and does not by itself allow you to tell the system whether the process should be created or not. However, if you needed to do this, you could pause the process (e.g. by attaching to it as a debugger) while your code decides whether to kill it or not.

More Related Contents:

  1. How to provide user name and password when connecting to a network share
  2. Using SetWindowPos with multiple monitors
  3. Win32 API function to programmatically enable/disable device
  4. Working example of CreateJobObject/SetInformationJobObject pinvoke in .net?
  5. How to find if a native DLL file is compiled as x64 or x86?
  6. Bring a window to the front in WPF
  7. How can I customize the system menu of a Windows Form?
  8. Why does closing a console that was started with AllocConsole cause my whole application to exit? Can I change this behavior?
  9. When do we need to set ProcessStartInfo.UseShellExecute to True?
  10. ShellExecute equivalent in .NET
  11. Check whether a path is valid
  12. Is there Windows system event on active window changed?
  13. Get the active color of Windows 8 automatic color theme
  14. Get Application’s Window Handles
  15. Win32Exception Not enough storage is available to process this command
  16. Set System Time Zone from .NET
  17. Is there a possibility to differ virtual printer from physical one?
  18. Setting the initial directory of an SaveFileDialog?
  19. What are some alternatives to RegistryKey.OpenBaseKey in .NET 3.5?
  20. How do I compute the non-client window size in WPF?
  21. How can I set different Tooltip text for each item in a listbox?
  22. How to check if the system audio is muted?
  23. PostMessage WM_KEYDOWN send multiply keys?
  24. Best way to read a large file into a byte array in C#?
  25. Why use the C# class System.Random at all instead of System.Security.Cryptography.RandomNumberGenerator?
  26. When is optimization premature? [closed]
  27. Can the C# interactive window interact with my code?
  28. Image.Save() throws exception “Value cannot be null./r/nParameter name: encoder”
  29. Hosting ASP.NET Core API in a Windows Forms Application
  30. How do I deploy two ClickOnce versions simultaneously?

Leave a Comment