Hey there, Is there a way to raise event when a new process is started without using the ManagementEventWatcher, and without using the Process.GetProcesses()?
The problem with ManagementEventWatcher is that the user needs to have high premmisions.
Thank you!!!
Unlike the extrinsic event Win32_ProcessStartTrace that you are currently using, the __InstanceCreationEvent and __InstanceDeletionEvent WMI intrinsic events do not require administrator rights.
Here's a sample query you can use to track process starts:
SELECT TargetInstance
FROM __InstanceCreationEvent WITHIN 1
WHERE TargetInstance ISA 'Win32_Process'
AND TargetInstance.Name LIKE '<your process name.exe>'
Further info: Process Information and Notifications using WMI
Because these are intrinsic events, WMI ultimately mimics event behaviour by means of polling, and will check for new events only periodically (here, every 1 second). Decreasing the WITHIN duration to fractions of seconds will give you faster response at the expense of CPU usage.
It should be possible to figure out when an application was last run by configuring audit process tracking in Windows. The following links might get you started:
Audit process tracking
How can I track what programs come and go on my machine?
The process tracking will create entries in the Windows event log which you can then access using C#.
Ref: .NET Process Monitor
Strange thing is an application does not need to create a window in windows. Create process may not belong to the window-station that you work on. You will need to find windows of that process anyway, and you will also need to detect new and closed windows of all processes.
So enumerating windows is much cleaner/easier choice.
Try EnumChildWindows function on desktop handle (retrieved by GetDesktopWindow) to find top level windows of applications. use GetWindowThreadProcessId and EnumThreadWindows on obtained handles to detect sub windows of windows.
A low priority thread will do the job.
You can probably use EnumDesktopWindows from user32.dll, you will get all the window handles, you can check the title of the window using GetWindowText, and type of window using GetClassName.
That way you can hide the hint or treasure anywhere. (because you will get handles of all the windows (and controls)).
See if this class will be useful to you
Managed Global Hook for Window Creation and Destruction
On that article, someone has created nice class with easy to attach events, You can run that code without elevating privileges.
Once you get the window (control) handle, you can add text or draw image on it for hints.
Related
I would like to obtain handle to notification window (balloon) using WinAPI. How can I do it, correctly?
Currently I found the solution by enumerating all windows using FindWindowEx function and then obtaining all windows that belongs to ShellExperienceHost.exe process. The operation is executed using GetWindowThreadProcessId API call.
After that we are limited to five windows and one of that window is notification window. But, the only parameter I can base on is window name. In this certain case it is "New notification". However, for my native language it is "Nowe powiadomienie". The application I am currently working on, needs to support multiple language. So, creating set with the names is not good options. Because, the code will be difficult to maintenance and can be depend on further changes in Windows.
I will be grateful for any help in this area.
I've been messing around with some code, to allow for getting the Window Handle of a running process, and the handles of all child objects within it - e.g. running it against calc.exe gives the hWnd of calc, plus the handle of each button, etc, which is all straight foward enough. Alongside this, I'm using ProcessWatcher to watch for specific processes launching.
Now, where I'm having issues, is figuring out if it's possible to subscribe in some way, to be notified of the creation / deletion of Window Handles.
The intention is to use the 'new' Window Handle to get details about the object, and compare it to a list of items that the application should be watching for, e.g. the application would be sitting waiting for the notepad.exe process to launch, once it sees this process, it knows it should be watching out for a new window being created titled 'Save As', that is someone related to the notepad.exe process.
At the moment, the only way I can think of would be via a timer, after a short period, enumerate all Window Handles manually, sorting through them for what I want, but I'd imagine this would be very resource hungry, and inefficient.
Thanks in advance...
I want to launch my application, like the windows security prompt, before any application is launched in Windows 8.
Is there any event handler, which gets notified whenever any application is launched?
My use Case : I want an App similar to a child lock(Lets call it myCustomApp).
When any user runs a game(say Solitare), i want myCustomApp to check the process name, and kill the process immediately.
P.S. : i am quite new to programming.
Thanks in advance!
Is there any event handler, which gets notified whenever any application is launched?
Yes: you get use WMI events to detect new instances of Win32_Process.
But these are created with process creation, not before.
Doing something between the call to ProcessCreate that creates the new process, and the process actually being created is going to be, at best hard (you might need to do it in the kernel), but quite possibly impossible.
Why do you want to do this? What problem are you trying to solve? This really does sound like an X-Y problem.
Edit:
The term you need to use is hook: the interception of some operation on windows. Eg. "Is it possible to hook the creation of windows globally so I can control where the windows are placed on the screen?"
There is a direct way in the kernel: PsSetCreateProcessNotifyRoutine
There are helpers in user mode (eg. EasyHook), but these require injected your code into each process (which anti-malware tools are likely to object to).
But you should still start out by looking for better approaches to you underlying problem.
I was wondering if there is a way I could hook the windows processes to check if any suspicious programs are running like (Wireshark, Fiddler, OllyDBG, etc).
I want to hook the windows processes so it will close the client or pop-up a message in real time when it detects a unwanted process.
If you guys can provide me with any links to doing this that would be nice.
Thanks!
Process[] processlist = Process.GetProcesses();
Then walk the list and do as desired for your apps you do not want to run.
You can detect process creations by using WMI creation events for Win32_Process. An instance of Win32_Process is created with each process, so looking new instances will tell you about process creation in (near) real time.
To receive WMI creation events see this page: http://msdn.microsoft.com/en-us/library/system.management.eventquery.aspx (EDIT: different link, now to sample in C#).
EnumWindows enumerates all top level windows.
And you don't want to inject a C# dll into other processes. This requires the .net runtime to be loaded into that process. This wastes RAM, and if the process is a .net app using a different version of .net then there are versioning problems. Especially if your dll is injected before the process loads its own version of .net.
And what to you want to achieve by injecting into that process you can't achieve from the outside?
You might want to check out EasyHook on CodePlex (http://easyhook.codeplex.com). Here is some discussion where people reportedly have been able to hook into CreateProcess. If you manage to hook into that API function you know of the created process at creation time.
Okay I've spent the afternoon researching and haven't had much luck finding the answer to this. I am trying to prevent an application from launching via some sort of dll or background application. It is to be used in monitoring application usage and licenses at my institution. I have found leads here regarding WqlEventQuery and also FileSystemWatcher. Neither of these solutions appear to work for me because:
With WqlEventQuery I was only able to handle an event after the process was created. Using notepad as a test, notepad was visible and accessible to me before my logic closed it. I attempted to Suspend/Resume the thread (I know this is unsafe but I was testing/playing) but this just hung the window until my logic finished.
With FileSystemWatcher I was not able to get any events from launching a .exe, only creating, renaming and deleting files.
The goal here is to not let the application launch at all unless my logic allows it to launch. Is this possible? The next best solution I came up with was forcing some type of modal dialog which does not allow the user to interact with anything, once the dialog is closed the application is killed. My concern here is killing the application nicely and handling applications with high overhead when they load such as Photoshop or something. This would also interfere with a feature I was hoping to have where the user could enter a queue until a license is available. Is this my best route? Any other suggestions?
Thanks
edit: To clarify this is not a virus or anything malicious. It's not about preventing access to a blacklist or allowing access through a whitelist. The idea is to check a database on a case by case basis for certain applications and see if there is a license available for use. If there is, let the app launch, if not display a dialog letting the user know. We also will use this for monitoring and keeping track if we have enough licenses to meet demand, etc. An example of one of these apps is SPSS which have very expensive licenses but a very limited pool of people using it.
Could you use
System.Diagnostics.Process.GetProcessesByName
in a loop to look for the process?
It might work if you don't use too aggressive a polling rate.
You are indeed close, take a look at the WMI Management Events. http://msdn.microsoft.com/en-us/library/ms186151%28VS.80%29.aspx
Sample code from Microsoft: http://msdn.microsoft.com/en-us/library/ms257355(VS.80).aspx
Subscribing to the appropriate event will provide your application with the appropriate information to perform what you described.
Not sure if this is a GOOD solution but you could do something like pass a key into main so that if the key is not present or valid the application shuts down. Then when you open the application in your code, just pass the key in. Someone would then have to know the key in order to start the application.
This is assuming you have access to the application in question's source code, which upon reading your question again, I'm not so sure of.
I assume you don't have source for the application you want to prevent from loading...
Have you considered using a system policy? That would be the best-supported way to prevent a user from launching a program.
You could have a service running that force-kills any app that isn't "whitelisted", but I can't say how well that would work.
I wonder if you are taking the wrong approach. Back in the day there was a Mac app that would prevent access to the desktop and had buttons to launch a set list of applications.
IDEA
What if you had a wrapper for the approved apps then only allow your wrapper to run on the computer?
I would expect there is some way of hooking an application launch, but can't help directly on that front.
You may be able to improve your current approach by detecting the application's window opening and hiding it (move it offscreen) so that the user can't attempt to interact with it while you are trying to shut it down.
However, another approach that may be possible (depending on your circumstances) would be to write an application launcher. This simply is a replacement for the shortcut to the application that checks your licencing conditions, and then does a Process.Start to launch the real .exe at that point. This would work well for any application. (I used a system like this for starting up applications with specialised environment settings and it works beautifully)
You could combine this with your current approach as a fall-back for "clever" users who manage to circumvent your launcher.
If my understanding is right you want to create an application what will prevent the computer user to start any other process except ones for a white-list.
If this is the case, monitor the process list of processes (in a while loop) using System.Diagnostics.Process (the GetProcesses method gives the list of all running ones)
Just kill the process when it starts.
Or if your machines have Windows 7 (Windows 2008??) you can use AppLocker. http://www.microsoft.com/windows/enterprise/products/windows-7/features.aspx#applocker Just let Windows prevent the startup.
You might want to look at this product: http://www.sassafras.com/licensing.html Personally I can't stand it, but that's because it does what you describe. Might save you some coding.
You could actually edit the registry so when you click a psd, your launcher gets called instead of photoshop. Your launcher then checks for licenses and if there is one starts photoshop with the path of the file.
This is a long shot but you may find it helpful.
Perceived Types and Application Registration
http://msdn.microsoft.com/en-us/library/cc144150(VS.85).aspx