1
我使用System.Management.ManagementEventWatcher獲得了啓動進程的進程ID和可執行文件的路徑:我可以從System.Management.EventArrivedEventArgs對象獲取ExecutablePath嗎?
private void startWatcher_EventArrived(Object sender, EventArrivedEventArgs e)
{
String processID = e.NewEvent.Properties["ProcessID"].Value.ToString();
var searcher = new ManagementObjectSearcher(new WqlObjectQuery(String.Format("Select ExecutablePath from Win32_Process where ProcessID = {0}", processID)));
ManagementObject managementObject = null;
foreach (ManagementObject obj in searcher.Get())
{
managementObject = obj;
break;
}
Console.WriteLine(managementObject["ExecutablePath"]);
}
使用此WQL查詢:
選擇ExecutablePath從 Win32_ProcessStartTrace
是否有一種方法可以避免執行對象搜索,但仍然可以獲取ExecutionPath,使用EventArrivedEventA中已有的內容rgs對象?
我真正需要的是每個啓動的新流程的ProcessID和ExecuatblePath。這是最簡單的方法嗎?