2
我试图使用WMI事件来监视在本地计算机上启动的进程。我用下面的代码来测试活动,并监视进程:__InstanceCreationEvent TargetInstance属性全为空
class Program
{
static void Main(string[] args)
{
ManagementEventWatcher watcher = WatchForProcessStart();
while(true) watcher.WaitForNextEvent();
}
private static ManagementEventWatcher WatchForProcessStart()
{
string scope = @"\\.\root\CIMV2";
string queryString = "SELECT TargetInstance FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Process'";
ManagementEventWatcher watcher = new ManagementEventWatcher(scope, queryString);
watcher.EventArrived += ProcessStarted;
watcher.Start();
return watcher;
}
private static void ProcessStarted(object sender, EventArrivedEventArgs e)
{
ManagementBaseObject targetInstance = (ManagementBaseObject)e.NewEvent.Properties["TargetInstance"].Value;
targetInstance.Properties.Cast<PropertyData>().ToList().ForEach(p => Console.WriteLine("{0}={1}", p.Name, p.Value));
}
}
然而TargetInstance化子性质都存在,但有一个null值,当我开始一个过程。有任何想法吗?
不说清楚替换这个
我你是什么试图去做。如果你想知道一个进程何时开始,那么改用[Win32_ProcessStartTrace class](http://stackoverflow.com/a/1986856/17034)。 –