Jump to content

Can InstanceCreationEvent of Win32_Process done with WinApi ?

Recommended Posts

any way to get the process that starts or ends like:

Func ESC()
Local $Obj    = ObjGet(    "winmgmts:{impersonationLevel=impersonate}!\\" & @ComputerName & "\root\cimv2")
Local $hObj   = ObjCreate( "WbemScripting.SWbemSink" )
If IsObj($Obj) And IsObj($hObj) Then
    ObjEvent( $hObj , "SINK_" )
    $Obj.ExecNotificationQueryAsync( $hObj , "SELECT * FROM __InstanceCreationEvent WITHIN 0.05 WHERE TargetInstance ISA 'Win32_Process'" )
    $Obj.ExecNotificationQueryAsync( $hObj , "SELECT * FROM __InstanceDeletionEvent WITHIN 0.5 WHERE TargetInstance ISA 'Win32_Process'" )
Func SINK_OnObjectReady($OB)
    if $OB.Path_.Class =  "__InstanceCreationEvent"  Then
        consolewrite( "start " )
        consolewrite( "end   " )
    consolewrite( $ob.targetinstance.name & " - ProcessId:"& $ob.targetinstance.ProcessId&" - TIME_CREATED: "&$ob.TIME_CREATED&" - ExecutablePath: "& $ob.targetinstance.ExecutablePath&" - CommandLine: "& $ob.targetinstance.CommandLine & @LF )

but with DLL calls ?

Thanks in advance.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By Rijswijker
      I'm currently struggling with a piece of code.
      Func _WMI_Win32_Process($sWorkingDirectory = Null) Global $sApplication, $intProcessID Local $i = 0 Local $aErr[1][2] = [[0, 0]] If $sComputer & $sUser & $sPassword = "." Then ; Localhost ToolTip("...ObjGet", @DesktopWidth - 30,@DesktopHeight - 130, "Win32_Process",1,4) Global $oWMIService = ObjGet("winmgmts:\\" & $sComputer & "\root\CIMV2") If Not IsObj($oWMIService) Then Return SetError(2, 99, $aErr) Else ToolTip("...ObjCreate", @DesktopWidth - 30,@DesktopHeight - 130, "Win32_Process",1,4) Local $wmiLocator = ObjCreate("WbemScripting.SWbemLocator") If Not IsObj($wmiLocator) Then Return SetError(3, 99, $aErr) ToolTip("...ConnectServer", @DesktopWidth - 30,@DesktopHeight - 130, "Win32_Process",1,4) Global $oWMIService = $wmiLocator.ConnectServer($sComputer, "\root\CIMV2", $sUser, $sPassword) If Not IsObj($oWMIService) Then Return SetError(4, 99, $aErr) EndIf ToolTip("...ExecQuery", @DesktopWidth - 30,@DesktopHeight - 130, "Win32_Process",1,4) Local $objStartup = $oWMIService.Get("Win32_ProcessStartup") Local $objConfig = $objStartup.SpawnInstance_ Local $Security = $oWMIService.Security_ $Security.ImpersonationLevel = 3 Local $oWMIClass = $oWMIService.Get("Win32_Process") Local $sReturn = $oWMIClass.Create($sApplication, NULL, $objConfig, $intProcessID) ;no working directory specified Return($intProcessID) EndFunc ;==>_WMI_Win32_Process Func _WMI_CheckExitCode() Global $oWMIService, $intProcessID Local $i = 0 ToolTip("...Process is Running" & @CRLF & " PID: " & $intProcessID, @DesktopWidth - 30,@DesktopHeight - 130, "Win32_Process",1,4) Local $colProcessStopTrace = $oWMIService.ExecNotificationQuery("SELECT * FROM Win32_ProcessStopTrace") Do Local $objLatestEvent = $colProcessStopTrace.NextEvent(1) If $objLatestEvent.ProcessId = $intProcessID Then $i = 1 Until $i = 1 SetError($objLatestEvent.ExitStatus) EndFunc ;==>_WMI_CheckExitCode What i want is get the ExitCode of the ended proces, but i get not always the ExitCode if the process has ended (For example: Two processes end at the same time).
      Is it possible to Query the ExitCode in another way than use the Win32_ProcessStopTrace and the $colProcessStopTrace.NextEvent?
      The WMI Command is running on a remote machine.
      Is there a way to request the ExitCodes from a process that had running in the past using the PID on a remote machine?

      Thanks in advance.
  • Create New...