Here is a C++ project that solves your problem:
Detecting Windows NT/2K process execution[
^]
You can either create a C++/CLI project based on the code, or use the
DllImportAttribute[
^] to access the required native functions from c#
[Update]
#include <cstdio>
#include <windows.h>
#include <tlhelp32.h>
int main( int, char *[] )
{
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (Process32First(snapshot, &entry) == TRUE)
{
while (Process32Next(snapshot, &entry) == TRUE)
{
char buffer[512] = {0,};
DWORD bufferSize = sizeof(buffer) - 1;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID);
QueryFullProcessImageName(hProcess,PROCESS_NAME_NATIVE,buffer,&bufferSize);
CloseHandle(hProcess);
}
}
CloseHandle(snapshot);
return 0;
}
The szExeFile member of the PROCESSENTRY32 structure does not always contain the full path.
All of the functions are documented in MSDN
Process and Thread Functions[
^]
Tool Help Functions[
^]
PsSetCreateProcessNotifyRoutine[
^] is exported from NTOSKRNL and only available to drivers - the article refered to above explains how you can get a notification from your driver to a user process whenever a process is started.
Obviously it's easier to follow Mikas example - just use a timer and execute it every 10 seconds or so.
Best regards
Espen Harlinn