I happened to see the following portion of code here.
$Obj.ExecNotificationQueryAsync($hObj, "SELECT * FROM __InstanceCreationEvent WITHIN 0.5 WHERE TargetInstance ISA 'Win32_Process'")
$Obj.ExecNotificationQueryAsync($hObj, "SELECT * FROM __InstanceDeletionEvent WITHIN 0.5 WHERE TargetInstance ISA 'Win32_Process'")
Switch $OB.Path_.Class
Case "__InstanceCreationEvent"
ConsoleWrite("+~>" & _ProcessGetPath($OB.TargetInstance.ProcessID) & @CR)
Case "__InstanceDeletionEvent"
ConsoleWrite("!~>" & $OB.TargetInstance.ProcessID & @CR)
EndSwitch
I used the same WQL
queries to monitor processes in C++
. Is there something similar in C++
by which I can know whether it was creation or termination of process. I tried using __CLASS
, but it gives the output as Win32_Process
. I am coding in MSVS2010
.
Please help.Thankyou
EDIT 1: WQL QUERY ADDED
hres = pSvc->ExecNotificationQueryAsync(
_bstr_t("WQL"),
_bstr_t("SELECT * "
"FROM __InstanceDeletionEvent WITHIN 1 "
"WHERE TargetInstance ISA 'Win32_Process' "),
WBEM_FLAG_SEND_STATUS,
NULL,
pStubSink);
hres = pSvc->ExecNotificationQueryAsync(
_bstr_t("WQL"),
_bstr_t("SELECT * "
"FROM __InstanceCreationEvent WITHIN 1 "
"WHERE TargetInstance ISA 'Win32_Process'"),
WBEM_FLAG_SEND_STATUS,
NULL,
pStubSink);
Using the above code, I get the name of the process, either created or terminated, printed into the console from the IWbemObjectSink::Indicate method.
In order to detect the creation and termination of a process using a single WQL sentence you can use the
__InstanceOperationEvent
class like so.Then if you want determine the type (class) of the event arrived you must eveluate the
__Class
property.Try this sample