Pelles C forum

C language => Windows questions => Topic started by: bitcoin on June 24, 2019, 02:44:54 pm

Title: Working with WMI
Post by: bitcoin on June 24, 2019, 02:44:54 pm
Hello, I don't know how use WMI, because its terrible COM everywhere  :(

This sample https://github.com/Frankie-PellesC/fSDK/tree/master/Samples_and_Tests/WMI/Notifications_WMI

How (and where) I can get new (created) process name and handle?

I want to write some monitoring tool, to track CreateProcess (and suspend it). How to do it? Help please
Title: Re: Working with WMI
Post by: TimoVJL on June 24, 2019, 06:45:23 pm
for that frankie's example:
Code: [Select]
HRESULT STDMETHODCALLTYPE EventSink_Indicate(IWbemObjectSink *this, long lObjectCount, IWbemClassObject **apObjArray)
{
for (int i = 0; i < lObjectCount; i++)
{
printf("Event occurred %d/%d\n", i, lObjectCount);
IWbemClassObject *pIWbemClassObject = apObjArray[i];
//IWbemClassObject *pIWbemClassObject = *apObjArray;
VARIANT vcn;
HRESULT hr;
if (!(hr = pIWbemClassObject->lpVtbl->Get(pIWbemClassObject, L"__Class", 0, &vcn, NULL, NULL)))
{
if (vcn.vt == VT_BSTR)
printf("%ls\n", vcn.bstrVal);
VariantClear(&vcn);
}
else
printf("error: 0x%Xh\n", hr);
if (!(hr = pIWbemClassObject->lpVtbl->Get(pIWbemClassObject, L"TargetInstance", 0, &vcn, NULL, NULL)))
{
IUnknown *pUnk = vcn.punkVal;
IWbemClassObject *pIWbemClassObject1;
if (!(hr = pUnk->lpVtbl->QueryInterface(pUnk, &IID_IWbemClassObject, (void **)&pIWbemClassObject1)))
{
VARIANT vcn1;
if (!(hr = pIWbemClassObject1->lpVtbl->Get(pIWbemClassObject1, L"Name", 0, &vcn1, NULL, NULL)))
{
printf("%ls\t", vcn1.bstrVal);
VariantClear(&vcn1);
}
VARIANT vcn2;
if (!(hr = pIWbemClassObject1->lpVtbl->Get(pIWbemClassObject1, L"Handle", 0, &vcn2, NULL, NULL)))
{
printf("%ls\n", vcn2.bstrVal);
VariantClear(&vcn2);
}

}
VariantClear(&vcn);
}
else
printf("error: 0x%Xh\n", hr);
}

return WBEM_S_NO_ERROR;
}
Title: Re: Working with WMI
Post by: bitcoin on June 24, 2019, 08:03:34 pm
Thank you, it works! Can you tell me - if I want to track process always (forever) , will it be enough to replace Sleep (10000) to Sleep(INFINITE)? Or no?

I want to code service or program , that must works always, with windows startup to shutdown.
Title: Re: Working with WMI
Post by: TimoVJL on June 24, 2019, 08:25:12 pm
In my test, i used WaitForSingleObject(GetCurrentProcess(), INFINITE);

psapi could be another option for program.
Title: Re: Working with WMI
Post by: bitcoin on June 24, 2019, 08:57:54 pm
psapi could be another option for program.
In psapi I must call EnumProcesses (or what you mean) every 5 (or more/less ) seconds. So, it may be load processor or skip some process.
In WMI we have events..but COM is terrible hard.
Title: Re: Working with WMI
Post by: bitcoin on June 25, 2019, 10:11:55 am
Is call CoSetProxyBlanket required? Or I can skip it? I don't understand this api.
Title: Re: Working with WMI
Post by: TimoVJL on June 27, 2019, 11:23:47 am
Maybe that 'blanket' is for RPC ?

An example to avoid notepad.exe running ;)
Code: [Select]
HRESULT STDMETHODCALLTYPE EventSink_Indicate(IWbemObjectSink *this, long lObjectCount, IWbemClassObject **apObjArray)
{
for (int i = 0; i < lObjectCount; i++)
{
printf("Event occurred %d/%d\n", i, lObjectCount);
IWbemClassObject *pIWbemClassObject = apObjArray[i];
//IWbemClassObject *pIWbemClassObject = *apObjArray;
VARIANT vcn;
HRESULT hr;
if (!(hr = pIWbemClassObject->lpVtbl->Get(pIWbemClassObject, L"__Class", 0, &vcn, NULL, NULL)))
{
if (vcn.vt == VT_BSTR)
printf("%ls\n", vcn.bstrVal);
VariantClear(&vcn);
}
else
printf("error: 0x%Xh\n", hr);
if (!(hr = pIWbemClassObject->lpVtbl->Get(pIWbemClassObject, L"TargetInstance", 0, &vcn, NULL, NULL)))
{
IUnknown *pUnk = vcn.punkVal;
IWbemClassObject *pIWbemClassObject1;
if (!(hr = pUnk->lpVtbl->QueryInterface(pUnk, &IID_IWbemClassObject, (void **)&pIWbemClassObject1)))
{
BOOL bFound = 0;
UINT pid;
VARIANT vcn1;
if (!(hr = pIWbemClassObject1->lpVtbl->Get(pIWbemClassObject1, L"Name", 0, &vcn1, NULL, NULL)))
{
printf("%ls\t", vcn1.bstrVal);
bFound = !wcscmp(vcn1.bstrVal, L"notepad.exe");
VariantClear(&vcn1);
}
VARIANT vcn2;
if (!(hr = pIWbemClassObject1->lpVtbl->Get(pIWbemClassObject1, L"Handle", 0, &vcn2, NULL, NULL)))
{
printf("%ls\n", vcn2.bstrVal);
pid = wcstoul(vcn2.bstrVal, 0, 10);
VariantClear(&vcn2);
}
if (bFound) {
printf("found: %d\n", pid);
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
TerminateProcess(hProc, 0);
}

}
VariantClear(&vcn);
}
else
printf("error: 0x%Xh\n", hr);
}

return WBEM_S_NO_ERROR;
}
Title: Re: Working with WMI
Post by: bitcoin on June 27, 2019, 05:23:17 pm
Yes, it works! Thank you!  :)
Yesterday,I tried to do

Code: [Select]
VARIANT vcn3;
if (!(hr = pIWbemClassObject1->lpVtbl->Get(pIWbemClassObject1,L"ProcessId",0,&vcn3,NULL,NULL)))
{
TerminateProcess((void*)vcn3.intVal,0);
This shit don't works (unlike of your code). Thanks!
Title: Re: Working with WMI
Post by: bitcoin on September 24, 2020, 06:10:17 pm
Hello,
how I can to terminate process without winapi? I saw that Win32_Process have method Terminate , but how to call it?
Title: Re: Working with WMI
Post by: TimoVJL on September 25, 2020, 07:26:46 am
https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/terminate-method-in-class-win32-process