Jump to content

Can InstanceCreationEvent of Win32_Process done with WinApi ?

Recommended Posts


any way to get the process that starts or ends like:

Func ESC()
Local $Obj    = ObjGet(    "winmgmts:{impersonationLevel=impersonate}!\\" & @ComputerName & "\root\cimv2")
Local $hObj   = ObjCreate( "WbemScripting.SWbemSink" )
If IsObj($Obj) And IsObj($hObj) Then
    ObjEvent( $hObj , "SINK_" )
    $Obj.ExecNotificationQueryAsync( $hObj , "SELECT * FROM __InstanceCreationEvent WITHIN 0.05 WHERE TargetInstance ISA 'Win32_Process'" )
    $Obj.ExecNotificationQueryAsync( $hObj , "SELECT * FROM __InstanceDeletionEvent WITHIN 0.5 WHERE TargetInstance ISA 'Win32_Process'" )
Func SINK_OnObjectReady($OB)
    if $OB.Path_.Class =  "__InstanceCreationEvent"  Then
        consolewrite( "start " )
        consolewrite( "end   " )
    consolewrite( $ob.targetinstance.name & " - ProcessId:"& $ob.targetinstance.ProcessId&" - TIME_CREATED: "&$ob.TIME_CREATED&" - ExecutablePath: "& $ob.targetinstance.ExecutablePath&" - CommandLine: "& $ob.targetinstance.CommandLine & @LF )

but with DLL calls ?

Thanks in advance.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • Rijswijker
      By Rijswijker
      I'm currently struggling with a piece of code.
      Func _WMI_Win32_Process($sWorkingDirectory = Null) Global $sApplication, $intProcessID Local $i = 0 Local $aErr[1][2] = [[0, 0]] If $sComputer & $sUser & $sPassword = "." Then ; Localhost ToolTip("...ObjGet", @DesktopWidth - 30,@DesktopHeight - 130, "Win32_Process",1,4) Global $oWMIService = ObjGet("winmgmts:\\" & $sComputer & "\root\CIMV2") If Not IsObj($oWMIService) Then Return SetError(2, 99, $aErr) Else ToolTip("...ObjCreate", @DesktopWidth - 30,@DesktopHeight - 130, "Win32_Process",1,4) Local $wmiLocator = ObjCreate("WbemScripting.SWbemLocator") If Not IsObj($wmiLocator) Then Return SetError(3, 99, $aErr) ToolTip("...ConnectServer", @DesktopWidth - 30,@DesktopHeight - 130, "Win32_Process",1,4) Global $oWMIService = $wmiLocator.ConnectServer($sComputer, "\root\CIMV2", $sUser, $sPassword) If Not IsObj($oWMIService) Then Return SetError(4, 99, $aErr) EndIf ToolTip("...ExecQuery", @DesktopWidth - 30,@DesktopHeight - 130, "Win32_Process",1,4) Local $objStartup = $oWMIService.Get("Win32_ProcessStartup") Local $objConfig = $objStartup.SpawnInstance_ Local $Security = $oWMIService.Security_ $Security.ImpersonationLevel = 3 Local $oWMIClass = $oWMIService.Get("Win32_Process") Local $sReturn = $oWMIClass.Create($sApplication, NULL, $objConfig, $intProcessID) ;no working directory specified Return($intProcessID) EndFunc ;==>_WMI_Win32_Process Func _WMI_CheckExitCode() Global $oWMIService, $intProcessID Local $i = 0 ToolTip("...Process is Running" & @CRLF & " PID: " & $intProcessID, @DesktopWidth - 30,@DesktopHeight - 130, "Win32_Process",1,4) Local $colProcessStopTrace = $oWMIService.ExecNotificationQuery("SELECT * FROM Win32_ProcessStopTrace") Do Local $objLatestEvent = $colProcessStopTrace.NextEvent(1) If $objLatestEvent.ProcessId = $intProcessID Then $i = 1 Until $i = 1 SetError($objLatestEvent.ExitStatus) EndFunc ;==>_WMI_CheckExitCode What i want is get the ExitCode of the ended proces, but i get not always the ExitCode if the process has ended (For example: Two processes end at the same time).
      Is it possible to Query the ExitCode in another way than use the Win32_ProcessStopTrace and the $colProcessStopTrace.NextEvent?
      The WMI Command is running on a remote machine.
      Is there a way to request the ExitCodes from a process that had running in the past using the PID on a remote machine?

      Thanks in advance.

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.