tags:

views:

73

answers:

2
Q: 

How to find what executable the user has just started?

I'm working on a testing framework that needs to be able to record a user's activities and then replay them. I'm fine using the ManagedWinAPI wrappers around P/Invoke ( working in C# ) to record mouse and keyboard activity, which works but I think that in order to make the recording more useful I need to know more about what happens when the user starts an application.

What I don't know is how to find that an application has just been started and what application it was. So supposing the user started my recording application then went over to the start menu and clicked on "Paint" I would like to be able to record "Paint.exe" starting up as an event ( or if they clicked a shortcut that passed some parameters it would be the value of that shortcut including the parameters ) because if I want to play back the recording on a different machine menu items may be in different places so the mouse activity could be deceptive.

What route do I need to be following to acquire this data? I haven't been able to find the terminology so I've not even really got the right things to put into a search engine...

+1  A: 

The Tool Help Library can take a snapshot of the current processes. This can later be compared to another snapshot. But, just as No Refunds No Returns commented, this method cannot determine if it was a user action that started the process.

gwell  2010-01-08 19:30:00
Thanks. The system doesn't have to be totally guaranteed so this could well be good enough for this purpose but I'll be interested to see whether anyone else has any alternative approaches.
glenatron  2010-01-08 20:05:20
I have gone for this as it is sufficient for what I need, but I really appreciate the answer below also- both are potentially useful in different scenarios.
glenatron  2010-01-14 15:04:21
+1  A: 

The proper way to do this is to write a driver and use process manager callbacks to get a notification each time a process is created. If you don't want to do that, you can use a managed hooking library like EasyHook and hook NtCreateThread/NtCreateThreadEx. If you don't want to do that, then you'll just have to poll for new processes.

EDIT: Determining whether the user started a particular process would also require you to walk the stack. In kernel-mode you can use RtlWalkFrameChain while in user-mode you can use CaptureStackBackTrace.

EDIT 2: See PsSetCreateProcessNotifyRoutine and PsSetCreateProcessNotifyRoutineEx.

wj32  2010-01-10 19:04:32
Thanks for this, it sounds interesting. I'll investigate further.
glenatron  2010-01-10 19:41:46

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)