Process Create Notification using EnumProcess

My2Cents

3.67/5 (2 votes)

2 Jul 2009CPOL1 min read

30.1K

487

Poll using EnumProcess to get process create notification in user-mode

Download source - 1.76 KB

Introduction

Windows does not provide an event based mechanism in user-mode for process related notifications. As a result, any solution becomes inherently polling based. One such option is to use EnumProcess API. WMI can also be used. I have never used WMI so I can't say about the overhead of using a WMI based method. But one thing is for sure, using WMI does bring an additional dependency on WMI service. In this article, I will consider an EnumProcess based method. Please refer here for a WMI based method.

Using the Code

The sample class CProcessNotify wraps EnumProcess polling functionality. Polling with user supplied interval is done in a separate thread. Notifications are delivered in that thread. But if you need the calling thread to block, you may modify the class to suit your purpose. Here is the main code. Basically, compare the process id list returned from EnumProcess using STL set_compare. The difference in the current and the previous list gives the created and terminated ids. The current approach has one small drawback. If a process disappears and a new process appears with the same id within the polling interval, it would not know. The workaround for that would be to store process start time using GetProcessTimes API with the id.

C++

typedef std::vector<dword> PIDLIST;
typedef std::vector<dword>::iterator PIDLISTITER;

const DWORD nSize = 1024;
PIDLIST vPidListPrev;

for (;;)
{
	DWORD nRet = WaitForSingleObject(
		m_hQuit,
		m_nEnumInterval);
	if (WAIT_TIMEOUT != nRet)
	{
		return nRet;
	}

	PIDLIST vPidListNext(nSize);

	DWORD nNeeded = 0;
	BOOL bRet = EnumProcesses(
		&vPidListNext[0],
		nSize*sizeof(DWORD),
		&nNeeded);
	if (!bRet)
	{
		return GetLastError();
	}

	vPidListNext.resize(nNeeded / sizeof(DWORD));
	sort(
		vPidListNext.begin(),
		vPidListNext.end());

	if (vPidListPrev.empty())
	{
		if (!m_bNotifyCurrent)
		{
			vPidListPrev = vPidListNext;
			continue;
		}
	}

	if (vPidListNext.size() == vPidListPrev.size())
	{
		int nRet = memcmp(
			&vPidListNext[0],
			&vPidListPrev[0],
			nNeeded);
		if (0 == nRet)
		{
			continue;
		}
	}

	PIDLIST vPidListAdded(nSize);
	PIDLISTITER itAdded = set_difference(
		vPidListNext.begin(),
		vPidListNext.end(),
		vPidListPrev.begin(),
		vPidListPrev.end(),
		vPidListAdded.begin());
	for (PIDLISTITER it1 = vPidListAdded.begin() ; it1 != itAdded ; it1++)
	{
		BOOL bRet = OnNotify(*it1, TRUE);
		if (!bRet)
		{
			return ERROR_CANCELLED;
		}
		DWORD nRet = WaitForSingleObject(
			m_hQuit,
			0);
		if (WAIT_TIMEOUT != nRet)
		{
			return nRet;
		}
	}

	PIDLIST vPidListRemoved(nSize);
	PIDLISTITER itRemoved = set_difference(
		vPidListPrev.begin(),
		vPidListPrev.end(),
		vPidListNext.begin(),
		vPidListNext.end(),
		vPidListRemoved.begin());
	for (PIDLISTITER it1 = vPidListRemoved.begin() ; it1 != itRemoved ; it1++)
	{
		BOOL bRet = OnNotify(*it1, FALSE);
		if (!bRet)
		{
			return ERROR_CANCELLED;
		}
		DWORD nRet = WaitForSingleObject(
			m_hQuit,
			0);
		if (WAIT_TIMEOUT != nRet)
		{
			return nRet;
		}
	}

	vPidListPrev = vPidListNext;
}

Comments are most welcome.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)