2
我試圖使用WMI事件來監視在本地計算機上啓動的進程。我用下面的代碼來測試活動,並監視進程:__InstanceCreationEvent TargetInstance屬性全爲空
class Program
{
static void Main(string[] args)
{
ManagementEventWatcher watcher = WatchForProcessStart();
while(true) watcher.WaitForNextEvent();
}
private static ManagementEventWatcher WatchForProcessStart()
{
string scope = @"\\.\root\CIMV2";
string queryString = "SELECT TargetInstance FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Process'";
ManagementEventWatcher watcher = new ManagementEventWatcher(scope, queryString);
watcher.EventArrived += ProcessStarted;
watcher.Start();
return watcher;
}
private static void ProcessStarted(object sender, EventArrivedEventArgs e)
{
ManagementBaseObject targetInstance = (ManagementBaseObject)e.NewEvent.Properties["TargetInstance"].Value;
targetInstance.Properties.Cast<PropertyData>().ToList().ForEach(p => Console.WriteLine("{0}={1}", p.Name, p.Value));
}
}
然而TargetInstance化子性質都存在,但有一個null值,當我開始一個過程。有任何想法嗎?
不說清楚替換這個
我你是什麼試圖去做。如果你想知道一個進程何時開始,那麼改用[Win32_ProcessStartTrace class](http://stackoverflow.com/a/1986856/17034)。 –