Context:
I'm trying to get a notification whenever a process starts so I can do some logging. So, I set up my event handler like this:
Process Information and Notifications using WMI[
^]
actually, more like this:
http://weblogs.asp.net/whaggard/archive/2006/02/11/438006.aspx[
^]
Pretty standard stuff.
This is for Windows XP and Windows 2000
The problem: Basically, my event handler sometimes dies mid-execution. This seems to happen when the process its event is referring to exits quickly.
For example, my event handler will run properly when I run netstat, but not when I run 'netstat -ano', which usually exits more quickly. In the latter case, the event handler will print out some of its output, but not all.
Sometimes, in the latter case, it won't print out anything, so I don't know if I got an event notification at all.
I have not found any mention of this problem in cyberspace. Maybe someone with better google-fu or better terminology can point me in the right direction.
Getting events Synchronously:
http://msdn.microsoft.com/en-us/library/aa720671(v=vs.71).aspx[
^]
So, if I loop watcher.WaitForNextEvent();, I'll often get no event for a quick-exiting process. If I run netstat, I'll get a response like half the time.
Things I've tried:
I've tried subscribing to Win32_ProcessStartTrace and __InstanceCreationEvent/__InstanceOperationEvent, but the behavior is more-or-less the same.
I've tried implementing this in C++, but I get pretty much the same behavior:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa390425(v=vs.85).aspx[
^]
I've mitigated the problem by making the event handler start a thread, but sometimes the event handler is not alive long enough to create a new thread (with all the data I'll need about the specified process).
Messing with the "WITHIN 1" clause in the query seems to have no effect. Removing it causes an error.
Incidentally:
The event handlers for process termination have all the time in the world. No race condition there.
I need to look at everything a process writes to stdout.
So, I need notification when the process starts so I can grab all the output of this process...unless one of you knows how to get everything a process already wrote to stdout from an __InstanceDeletionEvent or a Win32_ProcessStopTrace;
Thank You!
using System;
using System.Management;
using System.Threading;
public class EventWatcherPolling
{
public static int Main(string[] args)
{
WqlEventQuery query =
new WqlEventQuery("__InstanceCreationEvent",
new TimeSpan(0, 0, 1),
"TargetInstance isa \"Win32_Process\"");
ManagementEventWatcher watcher = new ManagementEventWatcher(query);
while (true)
{
try
{
Console.WriteLine("Waiting:");
ManagementBaseObject e = watcher.WaitForNextEvent();
Console.WriteLine(
"IC: {0}",
((ManagementBaseObject)e["TargetInstance"])["Name"]);
}
catch (Exception except)
{
Console.WriteLine("EXCEPTION: " + except.ToString());
}
}
watcher.Stop();
return 0;
}
}