如何通过 WMI 从 'Win32_ProcessStopTrace' class 获取附加信息?
How to obtain additional info from the 'Win32_ProcessStopTrace' class through WMI?
场景
爱好或实践我正在开发一个(非常)简单的进程监视器,它公开两个事件以通过两个 ManagementEventWatcher 对象来订阅进程启动和进程停止。
使用 ManagementEventWatcher 对象查询 Win32_ProcessStartTrace 和 Win32_ProcessStopTrace classes 我订阅进程启动和停止发现然后我提出相应的 EventArrivedEventHandler 事件以面向事件的方式公开已经启动或停止的进程的信息。
问题
问题是我想获取额外的(基本)信息,例如已启动或停止的进程的可执行路径和 PID,但是 Win32_ProcessStartTrace 和 Win32_ProcessStopTrace classes 没有公开 info/property.
另一方面,他们公开了一个 ProcessName 属性,在文档中这样说:
You can use this name to get the instance of Win32_Process for the
same process.
但是,考虑到具有相同文件名的多个进程可能同时 运行,MSDN 如何期望我能够有效地做到这一点?。
如果那些 classes 提供给我的唯一有用信息是进程名称和父 PID,那么就效率而言,MSDN 到底希望我能做什么来匹配我想要获得的目标进程对 Win32_Process class 执行 WMI 查询的附加信息,当它可以存在具有相同名称并由同一进程创建的各种进程时?什么都没有,所以......我在这一点上很困。
我认为执行高效的 Win32_Process 查询需要更一致的东西,例如进程的 PID(不是父 PID)。
问题
在 C# 或 VB.Net 中,在效率方面(因为要避免我上面解释的情况),在 EventArrivedEventHandler 到达后我可以做些什么来获取正确进程的附加信息.
我的期望是获得一些像 PID 这样的唯一标识符,然后我可以对 Win32_Process class 执行 WMI 查询以获得我想要的所有附加信息,而不仅仅是进程名称和父 PID.
源代码
这是代码的相关部分:
Public Class ProcessWatcher : Implements IDisposable
Private WithEvents processStartWatcher As ManagementEventWatcher
Private WithEvents processStopWatcher As ManagementEventWatcher
''' <summary>
''' Occurs when a process starts (run).
''' </summary>
Public Event ProcessStarted As EventArrivedEventHandler
''' <summary>
''' Occurs when a process stops (exit).
''' </summary>
Public Event ProcessStopped As EventArrivedEventHandler
Public Sub New()
Me.processStartWatcher = New ManagementEventWatcher(New WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace"))
Me.processStopWatcher = New ManagementEventWatcher(New WqlEventQuery("SELECT * FROM Win32_ProcessStopTrace"))
End Sub
''' <summary>
''' Start monitoring for process starts and stops.
''' </summary>
<DebuggerStepThrough>
Public Sub Start()
Me.processStartWatcher.Start()
Me.processStopWatcher.Start()
End Sub
''' <summary>
''' Stop monitoring for process starts and stops.
''' </summary>
<DebuggerStepThrough>
Public Sub [Stop]()
Me.processStartWatcher.Stop()
Me.processStopWatcher.Stop()
End Sub
Protected Overridable Sub RaiseProcessStartedEvent(ByVal e As EventArrivedEventArgs)
RaiseEvent ProcessStarted(Me, e)
End Sub
Protected Overridable Sub RaiseProcessStoppedEvent(ByVal e As EventArrivedEventArgs)
RaiseEvent ProcessStopped(Me, e)
End Sub
Private Sub ProcessStartWatcher_EventArrived(ByVal sender As Object, ByVal e As EventArrivedEventArgs) _
Handles processStartWatcher.EventArrived
If (Me.ProcessStartedEvent IsNot Nothing) Then
Me.RaiseProcessStartedEvent(e)
End If
End Sub
Private Sub ProcessStopWatcher_EventArrived(ByVal sender As Object, ByVal e As EventArrivedEventArgs) _
Handles processStopWatcher.EventArrived
If (Me.ProcessStoppedEvent IsNot Nothing) Then
Me.RaiseProcessStoppedEvent(e)
End If
End Sub
End Class
还有一个用法示例:
Imports System.Management
Public Class Form1 : Inherits Form
Private WithEvents processWatcher As New ProcessWatcher
Private Sub Form1_Load(ByVal sender As Object, ByVal e As EventArgs) _
Handles MyBase.Load
Me.processWatcher.Start()
End Sub
Private Sub ProcessWatcher_ProcessStarted(ByVal sender As Object, ByVal e As EventArrivedEventArgs) _
Handles processWatcher.ProcessStarted
Console.WriteLine(String.Format("Process started | Name: {0}", e.NewEvent.Properties("ProcessName").Value))
Console.WriteLine(String.Format("Process started | PPid: {0}", e.NewEvent.SystemProperties("ParentProcessID").Value))
End Sub
Private Sub Form1_FormClosing(ByVal sender As Object, ByVal e As FormClosingEventArgs) _
Handles MyBase.FormClosing
Me.processWatcher.Stop()
End Sub
End Class
虽然文档没有提到它,但 Win32_ProcessStopTrace 和 Win32_ProcessStartTrace 上确实有一个 'ProcessID' 属性,因为 类 都来自 Win32_ProcessTrace 里面有。您可以使用 WMIExplorer:
等工具进行检查
场景
爱好或实践我正在开发一个(非常)简单的进程监视器,它公开两个事件以通过两个 ManagementEventWatcher 对象来订阅进程启动和进程停止。
使用 ManagementEventWatcher 对象查询 Win32_ProcessStartTrace 和 Win32_ProcessStopTrace classes 我订阅进程启动和停止发现然后我提出相应的 EventArrivedEventHandler 事件以面向事件的方式公开已经启动或停止的进程的信息。
问题
问题是我想获取额外的(基本)信息,例如已启动或停止的进程的可执行路径和 PID,但是 Win32_ProcessStartTrace 和 Win32_ProcessStopTrace classes 没有公开 info/property.
另一方面,他们公开了一个 ProcessName 属性,在文档中这样说:
You can use this name to get the instance of Win32_Process for the same process.
但是,考虑到具有相同文件名的多个进程可能同时 运行,MSDN 如何期望我能够有效地做到这一点?。
如果那些 classes 提供给我的唯一有用信息是进程名称和父 PID,那么就效率而言,MSDN 到底希望我能做什么来匹配我想要获得的目标进程对 Win32_Process class 执行 WMI 查询的附加信息,当它可以存在具有相同名称并由同一进程创建的各种进程时?什么都没有,所以......我在这一点上很困。
我认为执行高效的 Win32_Process 查询需要更一致的东西,例如进程的 PID(不是父 PID)。
问题
在 C# 或 VB.Net 中,在效率方面(因为要避免我上面解释的情况),在 EventArrivedEventHandler 到达后我可以做些什么来获取正确进程的附加信息.
我的期望是获得一些像 PID 这样的唯一标识符,然后我可以对 Win32_Process class 执行 WMI 查询以获得我想要的所有附加信息,而不仅仅是进程名称和父 PID.
源代码
这是代码的相关部分:
Public Class ProcessWatcher : Implements IDisposable
Private WithEvents processStartWatcher As ManagementEventWatcher
Private WithEvents processStopWatcher As ManagementEventWatcher
''' <summary>
''' Occurs when a process starts (run).
''' </summary>
Public Event ProcessStarted As EventArrivedEventHandler
''' <summary>
''' Occurs when a process stops (exit).
''' </summary>
Public Event ProcessStopped As EventArrivedEventHandler
Public Sub New()
Me.processStartWatcher = New ManagementEventWatcher(New WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace"))
Me.processStopWatcher = New ManagementEventWatcher(New WqlEventQuery("SELECT * FROM Win32_ProcessStopTrace"))
End Sub
''' <summary>
''' Start monitoring for process starts and stops.
''' </summary>
<DebuggerStepThrough>
Public Sub Start()
Me.processStartWatcher.Start()
Me.processStopWatcher.Start()
End Sub
''' <summary>
''' Stop monitoring for process starts and stops.
''' </summary>
<DebuggerStepThrough>
Public Sub [Stop]()
Me.processStartWatcher.Stop()
Me.processStopWatcher.Stop()
End Sub
Protected Overridable Sub RaiseProcessStartedEvent(ByVal e As EventArrivedEventArgs)
RaiseEvent ProcessStarted(Me, e)
End Sub
Protected Overridable Sub RaiseProcessStoppedEvent(ByVal e As EventArrivedEventArgs)
RaiseEvent ProcessStopped(Me, e)
End Sub
Private Sub ProcessStartWatcher_EventArrived(ByVal sender As Object, ByVal e As EventArrivedEventArgs) _
Handles processStartWatcher.EventArrived
If (Me.ProcessStartedEvent IsNot Nothing) Then
Me.RaiseProcessStartedEvent(e)
End If
End Sub
Private Sub ProcessStopWatcher_EventArrived(ByVal sender As Object, ByVal e As EventArrivedEventArgs) _
Handles processStopWatcher.EventArrived
If (Me.ProcessStoppedEvent IsNot Nothing) Then
Me.RaiseProcessStoppedEvent(e)
End If
End Sub
End Class
还有一个用法示例:
Imports System.Management
Public Class Form1 : Inherits Form
Private WithEvents processWatcher As New ProcessWatcher
Private Sub Form1_Load(ByVal sender As Object, ByVal e As EventArgs) _
Handles MyBase.Load
Me.processWatcher.Start()
End Sub
Private Sub ProcessWatcher_ProcessStarted(ByVal sender As Object, ByVal e As EventArrivedEventArgs) _
Handles processWatcher.ProcessStarted
Console.WriteLine(String.Format("Process started | Name: {0}", e.NewEvent.Properties("ProcessName").Value))
Console.WriteLine(String.Format("Process started | PPid: {0}", e.NewEvent.SystemProperties("ParentProcessID").Value))
End Sub
Private Sub Form1_FormClosing(ByVal sender As Object, ByVal e As FormClosingEventArgs) _
Handles MyBase.FormClosing
Me.processWatcher.Stop()
End Sub
End Class
虽然文档没有提到它,但 Win32_ProcessStopTrace 和 Win32_ProcessStartTrace 上确实有一个 'ProcessID' 属性,因为 类 都来自 Win32_ProcessTrace 里面有。您可以使用 WMIExplorer:
等工具进行检查