Monitor process start in the system

Question

Is there a way to monitor processes starting in the system before they start?

Example:
On programs like ZoneAlarm or Antivirus programs, when you run a program i

Answer 1

You should check out the easyhook-continuing-detours project, which is a .NET port of the Microsoft Detours project. It will allow you to hook unmanaged APIs (such as CreateProcess). Check out code examples for a simple FileMon-like program here.

Answer 2

Just use process creation notifications . It's included in Windows. You don't need to hook anything.

Answer 3

You can find out when processes start via using a real-time ETW consumer - however, to be able to take some action that could possibly cancel the process from starting, you'll have to do something shady / undocumented, like hooking CreateProcess, or using a kernel filter driver to block reads to the EXE.

Answer 4

There's a few ways to do this. If you only need to track process creation coming from a specific program (or a few programs), the EasyHook/Detours method mentioned here will work pretty well, but you effectively need to install a hook on CreateProcess into each program, so it's not a great solution if you want to track all process creation in the system.

There's a specific API for this in NT-based Windows variants (NT/2000/XP/Vista) called PsSetCreateProcessNotifyRoutine(). Unfortunately, you can only call this function from ring0, so it needs to be done in a driver. There's a handy explanation (and code) in this CodeProject article: http://www.codeproject.com/KB/threads/procmon.aspx.

AFAIK, this is just a notification, and does not by itself allow you to tell the system whether the process should be created or not. However, if you needed to do this, you could pause the process (e.g. by attaching to it as a debugger) while your code decides whether to kill it or not.