Fatal编程技术网
  • csharp/
  • C# __InstanceCreationEvent TargetInstance属性全部为空

C# __InstanceCreationEvent TargetInstance属性全部为空

c#

C# __InstanceCreationEvent TargetInstance属性全部为空,c#,wmi,C#,Wmi,我正在尝试使用WMI事件来监视在本地计算机上启动的进程。我使用以下代码测试事件并监视进程: class Program { static void Main(string[] args) { ManagementEventWatcher watcher = WatchForProcessStart(); while(true) watcher.WaitForNextEvent(); } private static Managem

我正在尝试使用WMI事件来监视在本地计算机上启动的进程。我使用以下代码测试事件并监视进程:

class Program
{
    static void Main(string[] args)
    {
        ManagementEventWatcher watcher = WatchForProcessStart();
        while(true) watcher.WaitForNextEvent();
    }

    private static ManagementEventWatcher WatchForProcessStart()
    {
        string scope = @"\\.\root\CIMV2";
        string queryString = "SELECT TargetInstance FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Process'";

        ManagementEventWatcher watcher = new ManagementEventWatcher(scope, queryString);
        watcher.EventArrived += ProcessStarted;
        watcher.Start();
        return watcher;
    }

    private static void ProcessStarted(object sender, EventArrivedEventArgs e)
    {
        ManagementBaseObject targetInstance = (ManagementBaseObject)e.NewEvent.Properties["TargetInstance"].Value;
        targetInstance.Properties.Cast<PropertyData>().ToList().ForEach(p => Console.WriteLine("{0}={1}", p.Name, p.Value));
    }
}

类程序
{
静态void Main(字符串[]参数)
{
ManagementEventWatcher-watcher=WatchForProcessStart();
while(true)watcher.WaitForNextEvent();
}
私有静态管理EventWatcher WatchForProcessStart()
{
字符串范围=@“\\。\root\CIMV2”;
string queryString=“从uu InstanceCreationEvent中选择TargetInstance,其中TargetInstance是‘Win32进程’”;
ManagementEventWatcher watcher=新的ManagementEventWatcher(范围、查询字符串);
watcher.eventArrized+=ProcessStarted;
watcher.Start();
返回观察者;
}
私有静态void进程已启动(对象发送方,EventArrivedEventArgs e)
{
ManagementBaseObject targetInstance=(ManagementBaseObject)e.NewEvent.Properties[“targetInstance”].Value;
targetInstance.Properties.Cast().ToList().ForEach(p=>Console.WriteLine(“{0}={1}”,p.Name,p.Value));
}
}
但是,
TargetInstance
属性都存在,但在启动进程时其值为null。有什么想法吗?

您得到的是空值,因为您没有检索WQL语句中的字段-

替换这个

  string queryString = "SELECT TargetInstance FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Process'";
由此

  string queryString = "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Process'";
我不太清楚你想做什么。如果您想知道流程何时启动,请使用。