[request] process termination notification
[request] process termination notification
i use to madcodehook know process creation / termination notification.
but i dont know how to receive process termination notificatoin.
but i dont know how to receive process termination notificatoin.
Re: [request] process termination notification
yes, i already know this demo.
but this demo hook exitprocess, terminateprocess, ntterminateprocess, etc. but, i can't receive process termination notification when process crash.
i want to know all process termination notification even if process was crashed.
but this demo hook exitprocess, terminateprocess, ntterminateprocess, etc. but, i can't receive process termination notification when process crash.
i want to know all process termination notification even if process was crashed.
Re: [request] process termination notification
In that case use process creation notification to build a list of running processes. Then you can use a separate thread to use WaitForMultipleObjects with the process handles of all the running processes. WaitForMultipleObjects will let you know as soon as one of the processes closes down, for whatever reason.
Re: [request] process termination notification
WMI is the easiest and cleanest route to receive process creation and termination events from usermode. You just setup an event sink and don't have to build and/or maintain internal process lists, which can be problematic with protected processes on Vista+ etc. Small example using WMI can be seen here http://weblogs.asp.net/whaggard/438006
--Iconic
--Iconic
Re: [request] process termination notification
i know wmi method. but these method is not reliable. and very high cpu usage even if wmi kernel trace was used. ;-(. besides, windows xp home edition is not support to wmi kernel trace method.
Re: [request] process termination notification
Hi,
It's true that these event classes exist only on NT 6.0 (Vista) and above. If you need to support Windows XP, which is nearly 14 years old, and have it work on all OSs then use Madshi's idea of course.
P.S: I was referring to __InstanceDeletionEvent which only monitors process terminations with WMI, any other tracing is not needed. Since you care about CPU usage and performance the best solution is to register a Process Notification Routine within a driver and if the bCreate argument inside your callback is FALSE then this is a process termination. Of course if you can't sign a kernel mode driver then you'll not be able to load your driver on x64 (out of the box). PsSetCreateProcessNotifyRoutine can be seen here https://msdn.microsoft.com/en-us/librar ... 85%29.aspx
--Iconic
It's true that these event classes exist only on NT 6.0 (Vista) and above. If you need to support Windows XP, which is nearly 14 years old, and have it work on all OSs then use Madshi's idea of course.
P.S: I was referring to __InstanceDeletionEvent which only monitors process terminations with WMI, any other tracing is not needed. Since you care about CPU usage and performance the best solution is to register a Process Notification Routine within a driver and if the bCreate argument inside your callback is FALSE then this is a process termination. Of course if you can't sign a kernel mode driver then you'll not be able to load your driver on x64 (out of the box). PsSetCreateProcessNotifyRoutine can be seen here https://msdn.microsoft.com/en-us/librar ... 85%29.aspx
--Iconic