How to detect win32 process creation/termination in c++

views:

answers:

How to detect win32 process creation/termination in c++

Hi,

I know that to receive notifications about win32 process creation or termination we might implement a NT kernel-mode driver using the APIs PsSetCreateProcessNotifyRoutine() that offers the ability to register system-wide callback function which is called by OS each time when a new process starts, exits or is terminated.

My question is if this is possible without creating a NT kernel-mode driver, only using win32 api functions using c++? Not using the basic solution of a infinite cycle querying the list of active process of course.

Is there any library or win32 API that provides the same functionality (system wide callback, asynchronous events, ...)?

Thanks

+1 A:

The only thing I could think of is WMI, not sure if it provides a process creation callback, but it might be worth looking into.

Anders 2010-08-24 12:03:34

Yes WMI can provide what i'm looking for (process creation/termination callback).If someone is interesting on how then take a look into http://msdn.microsoft.com/en-us/library/aa390425%28VS.85%29.aspxThanks

Nuno 2010-08-24 16:30:49

API-hooking should be the right way to fullfill something like that. You can hook createProcess(A/W/asUserA/W.... etc) and NtTerminateProcess

christian 2010-08-24 12:12:14

+1 A:

You can monitor all Window creating processes using SetWindowsHookEx with a CBTProc, however anything more than that requires either WMI, a windows driver or a little bit of 'Black Magic'

Necrolis 2010-08-24 12:14:25

ansaurus

tags:

views:

answers:

How to detect win32 process creation/termination in c++

related questions