C++ C++;:在Windows中监视进程的创建和终止
我碰巧看到了代码的以下部分 我使用相同的C++ C++;:在Windows中监视进程的创建和终止,c++,process,wmi,wmi-query,wql,C++,Process,Wmi,Wmi Query,Wql,我碰巧看到了代码的以下部分 我使用相同的WQL查询来监视C++中的进程。在C++中是否有类似的东西,通过它我可以知道这是进程的创建还是终止。我尝试使用\u类,但它以Win32\u进程的形式提供输出。我正在MSVS2010中编码 请帮忙,谢谢 编辑1:添加了WQL查询 hres = pSvc->ExecNotificationQueryAsync( _bstr_t("WQL"), _bstr_t("SELECT * " "FROM
WQLC++C++\u类Win32\u进程MSVS2010hres = pSvc->ExecNotificationQueryAsync(
_bstr_t("WQL"),
_bstr_t("SELECT * "
"FROM __InstanceDeletionEvent WITHIN 1 "
"WHERE TargetInstance ISA 'Win32_Process' "),
WBEM_FLAG_SEND_STATUS,
NULL,
pStubSink);
hres = pSvc->ExecNotificationQueryAsync(
_bstr_t("WQL"),
_bstr_t("SELECT * "
"FROM __InstanceCreationEvent WITHIN 1 "
"WHERE TargetInstance ISA 'Win32_Process'"),
WBEM_FLAG_SEND_STATUS,
NULL,
pStubSink);
使用上述代码,我从IWbemObjectSink::Indicate方法将创建或终止的进程名称打印到控制台。为了使用单个WQL语句检测进程的创建和终止,您可以像这样使用
\u InstanceOperationEventSelect * From __InstanceOperationEvent Within 1 Where TargetInstance ISA Win32_Process
\u classHRESULT EventSink::Indicate(long lObjectCount,
IWbemClassObject **apObjArray)
{
HRESULT hr = S_OK;
_variant_t vtProp;
for (int i = 0; i < lObjectCount; i++)
{
bool CreateorDel = false;
_variant_t cn;
hr = apObjArray[i]->Get(_bstr_t(L"__Class"), 0, &cn, 0, 0);
if (SUCCEEDED(hr))
{
wstring LClassStr(cn.bstrVal);
if (0 == LClassStr.compare(L"__InstanceDeletionEvent") )
{
wcout << "Deletion" << endl;
CreateorDel = true;
}
else if (0 == LClassStr.compare(L"__InstanceCreationEvent"))
{
wcout << "Creation" << endl;
CreateorDel = true;
}
else
{
CreateorDel = false;
//wcout << "Modification " << endl;
}
}
VariantClear(&cn);
if (CreateorDel)
{
hr = apObjArray[i]->Get(_bstr_t(L"TargetInstance"), 0, &vtProp, 0, 0);
if (!FAILED(hr))
{
IUnknown* str = vtProp;
hr = str->QueryInterface( IID_IWbemClassObject, reinterpret_cast< void** >( &apObjArray[i] ) );
if ( SUCCEEDED( hr ) )
{
_variant_t cn;
hr = apObjArray[i]->Get( L"Name", 0, &cn, NULL, NULL );
if ( SUCCEEDED( hr ) )
{
if ((cn.vt==VT_NULL) || (cn.vt==VT_EMPTY))
wcout << "Name : " << ((cn.vt==VT_NULL) ? "NULL" : "EMPTY") << endl;
else
wcout << "Name : " << cn.bstrVal << endl;
}
VariantClear(&cn);
hr = apObjArray[i]->Get( L"Handle", 0, &cn, NULL, NULL );
if ( SUCCEEDED( hr ) )
{
if ((cn.vt==VT_NULL) || (cn.vt==VT_EMPTY))
wcout << "Handle : " << ((cn.vt==VT_NULL) ? "NULL" : "EMPTY") << endl;
else
wcout << "Handle : " << cn.bstrVal << endl;
}
VariantClear(&cn);
}
}
VariantClear(&vtProp);
}
}
return WBEM_S_NO_ERROR;
}
HRESULT EventSink::指示(长lObjectCount,
IWbemClassObject**apObjArray)
{
HRESULT hr=S_正常;
_变体vtProp;
for(int i=0;iGet(_bstr_t(L“__类”),0,&cn,0,0);
如果(成功(hr))
{
wstring-LClassStr(cn.bstrVal);
如果(0==LClassStr.compare(L“\uu instanceDeleteEvent”))
{
wcout为了使用单个WQL语句检测进程的创建和终止,您可以像这样使用\uu InstanceOperationEvent
类
Select * From __InstanceOperationEvent Within 1 Where TargetInstance ISA Win32_Process
然后,如果要确定到达事件的类型(类),必须开发\u class
属性
试试这个样品
HRESULT EventSink::Indicate(long lObjectCount,
IWbemClassObject **apObjArray)
{
HRESULT hr = S_OK;
_variant_t vtProp;
for (int i = 0; i < lObjectCount; i++)
{
bool CreateorDel = false;
_variant_t cn;
hr = apObjArray[i]->Get(_bstr_t(L"__Class"), 0, &cn, 0, 0);
if (SUCCEEDED(hr))
{
wstring LClassStr(cn.bstrVal);
if (0 == LClassStr.compare(L"__InstanceDeletionEvent") )
{
wcout << "Deletion" << endl;
CreateorDel = true;
}
else if (0 == LClassStr.compare(L"__InstanceCreationEvent"))
{
wcout << "Creation" << endl;
CreateorDel = true;
}
else
{
CreateorDel = false;
//wcout << "Modification " << endl;
}
}
VariantClear(&cn);
if (CreateorDel)
{
hr = apObjArray[i]->Get(_bstr_t(L"TargetInstance"), 0, &vtProp, 0, 0);
if (!FAILED(hr))
{
IUnknown* str = vtProp;
hr = str->QueryInterface( IID_IWbemClassObject, reinterpret_cast< void** >( &apObjArray[i] ) );
if ( SUCCEEDED( hr ) )
{
_variant_t cn;
hr = apObjArray[i]->Get( L"Name", 0, &cn, NULL, NULL );
if ( SUCCEEDED( hr ) )
{
if ((cn.vt==VT_NULL) || (cn.vt==VT_EMPTY))
wcout << "Name : " << ((cn.vt==VT_NULL) ? "NULL" : "EMPTY") << endl;
else
wcout << "Name : " << cn.bstrVal << endl;
}
VariantClear(&cn);
hr = apObjArray[i]->Get( L"Handle", 0, &cn, NULL, NULL );
if ( SUCCEEDED( hr ) )
{
if ((cn.vt==VT_NULL) || (cn.vt==VT_EMPTY))
wcout << "Handle : " << ((cn.vt==VT_NULL) ? "NULL" : "EMPTY") << endl;
else
wcout << "Handle : " << cn.bstrVal << endl;
}
VariantClear(&cn);
}
}
VariantClear(&vtProp);
}
}
return WBEM_S_NO_ERROR;
}
HRESULT EventSink::指示(长lObjectCount,
IWbemClassObject**apObjArray)
{
HRESULT hr=S_正常;
_变体vtProp;
for(int i=0;iGet(_bstr_t(L“__类”),0,&cn,0,0);
如果(成功(hr))
{
wstring-LClassStr(cn.bstrVal);
如果(0==LClassStr.compare(L“\uu instanceDeleteEvent”))
{
wcout为每个查询设置单独的事件处理程序。如果启动创建事件处理程序,则为创建;如果启动删除事件处理程序,则为删除termination@stuartd:但是事件处理程序是否与ExecNotificationQueryAsync
函数有关(该函数反过来调用Indicate
函数)发生事件时调用哪个?此外,我的句柄在cpp
文件中定义,与包含函数定义的文件不同。为每个查询设置单独的事件处理程序。如果启动创建事件处理程序,则它是创建;如果启动删除事件处理程序,则它是删除termination@stuartd:但事件处理程序与ExecNotificationQueryAsync
函数有关(该函数反过来调用Indicate
函数)发生事件时调用哪个?我的句柄定义在一个cpp
文件中,与包含函数定义的文件不同。那很好。它起作用了。我也发现了代码中的错误。我在你尝试Name
和Handle
的地方尝试了\u Class
。非常感谢你。我使用了Select*从1内的InstanceOperationEvent,其中TargetInstance是一个“Win32进程”
而不是选择*从1内的InstanceOperationEvent,其中TargetInstance是一个Win32进程
来删除一个错误。这很好。它起作用了。我也得到了代码中的错误。我在你尝试的地方尝试了\UU类
de>Name
和Handle
。非常感谢您。我使用Select*From\u InstanceOperationEvent in1,其中TargetInstance ISA'Win32\u Process'
而不是Select*From\u InstanceOperationEvent in1,其中TargetInstance ISA Win32\u Process
来删除错误。