问题
Consider following code:
using (ManagementEventWatcher watcher = new ManagementEventWatcher("select * from Win32_ProcessStopTrace")) {
watcher.EventArrived += (object sender, EventArrivedEventArgs e) => {
Console.WriteLine("{0} stopped", (string)e.NewEvent["ProcessName"]);
};
watcher.Start();
while (!Console.KeyAvailable)
System.Threading.Thread.Sleep(50);
watcher.Stop();
}
When I run this code (as admin), it notifies me as soon as I close any other application.
First: When using Win32_ProcessStartTrace instead of Win32_ProcessStopTrace, I don't get any notification for starting processes. Why is that?
Second: If there's a possibility to monitor (every) starting processes, can I suspend them, do other stuff and then continue their execution?
Version info:
Windows 8.1 x64 (v6.3 Build 9600)
.NET Framework v4.0.30319 (in directory), 4.6.00081 (according to VS)
(I don't know whether specific updates are needed, so you could ask for them)
回答1:
As @HansPassant pointed out, this query doesn't work for Windows 8.1. This is related to a security update (KB3045999). Under Known issues there's a link to a hotfix (KB3094199) to fix this problem. After installing this hotfix and rebooting my computer, the query finally worked.
来源:https://stackoverflow.com/questions/33348013/why-win32-processstoptrace-events-arrive-but-win32-processstarttrace-doesnt