Working with WMI

C language > Windows questions

Working with WMI

(1/2) > >>

bitcoin:
Hello, I don't know how use WMI, because its terrible COM everywhere :(

This sample https://github.com/Frankie-PellesC/fSDK/tree/master/Samples_and_Tests/WMI/Notifications_WMI

How (and where) I can get new (created) process name and handle?

I want to write some monitoring tool, to track CreateProcess (and suspend it). How to do it? Help please

TimoVJL:
for that frankie's example:
--- Code: ---HRESULT STDMETHODCALLTYPE EventSink_Indicate(IWbemObjectSink *this, long lObjectCount, IWbemClassObject **apObjArray)
{
for (int i = 0; i < lObjectCount; i++)
{
printf("Event occurred %d/%d\n", i, lObjectCount);
IWbemClassObject *pIWbemClassObject = apObjArray[i];
//IWbemClassObject *pIWbemClassObject = *apObjArray;
VARIANT vcn;
HRESULT hr;
if (!(hr = pIWbemClassObject->lpVtbl->Get(pIWbemClassObject, L"__Class", 0, &vcn, NULL, NULL)))
{
if (vcn.vt == VT_BSTR)
printf("%ls\n", vcn.bstrVal);
VariantClear(&vcn);
}
else
printf("error: 0x%Xh\n", hr);
if (!(hr = pIWbemClassObject->lpVtbl->Get(pIWbemClassObject, L"TargetInstance", 0, &vcn, NULL, NULL)))
{
IUnknown *pUnk = vcn.punkVal;
IWbemClassObject *pIWbemClassObject1;
if (!(hr = pUnk->lpVtbl->QueryInterface(pUnk, &IID_IWbemClassObject, (void **)&pIWbemClassObject1)))
{
VARIANT vcn1;
if (!(hr = pIWbemClassObject1->lpVtbl->Get(pIWbemClassObject1, L"Name", 0, &vcn1, NULL, NULL)))
{
printf("%ls\t", vcn1.bstrVal);
VariantClear(&vcn1);
}
VARIANT vcn2;
if (!(hr = pIWbemClassObject1->lpVtbl->Get(pIWbemClassObject1, L"Handle", 0, &vcn2, NULL, NULL)))
{
printf("%ls\n", vcn2.bstrVal);
VariantClear(&vcn2);
}

}
VariantClear(&vcn);
}
else
printf("error: 0x%Xh\n", hr);
}

return WBEM_S_NO_ERROR;
}

--- End code ---

bitcoin:
Thank you, it works! Can you tell me - if I want to track process always (forever) , will it be enough to replace Sleep (10000) to Sleep(INFINITE)? Or no?

I want to code service or program , that must works always, with windows startup to shutdown.

TimoVJL:
In my test, i used WaitForSingleObject(GetCurrentProcess(), INFINITE);

psapi could be another option for program.

bitcoin:

--- Quote from: TimoVJL on June 24, 2019, 08:25:12 PM ---psapi could be another option for program.

--- End quote ---
In psapi I must call EnumProcesses (or what you mean) every 5 (or more/less ) seconds. So, it may be load processor or skip some process.
In WMI we have events..but COM is terrible hard.

Navigation

[0] Message Index

[#] Next page

Go to full version