0

I'm using this code to detect if a process is detected or not. I use kill() to get rid of it. I originally want to suspend it and then do some processing with it which will decide whether to allow the process to run or not but apparently I'm unable to get that done as it creates the process and kills it after that. Here's the code...

var query = new WqlEventQuery("__InstanceCreationEvent", new TimeSpan(0, 0, 0, 0, 1),
    "TargetInstance isa \"Win32_Process\"");
      using (var watcher = new ManagementEventWatcher(query))
      {
          ManagementBaseObject mo = watcher.WaitForNextEvent();
          ManagementBaseObject o = (ManagementBaseObject)mo["TargetInstance"];
          String str = "";
          foreach (PropertyData s in o.Properties)
          {
              if(s.Name.equals("ProcessId"))
                {
                Process p = Process.GetProcessById(Int32.Parse(s.Value));
                p.Kill();
                }
          }
      }

The problem here is that when I run it and then type cmd.exe in Run dialog it appears for a second and then dies. Its not supposed to appear even for a second. I want to catch the process before it even creates windows i.e. loads into memory. Can anyone suggest how may I achieve this?

Saifur Rahman Mohsin
  • 929
  • 1
  • 11
  • 37
  • You used to be able to do this in registry by setting a ShellExecuteHook, but this functionality is switched off by default in Vista onwards. I think it might be possible to turn it on again... otherwise, this post ( http://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/f61f8179-fc87-4cef-b795-10bc93bc9eee/shellexecutehook-gone-in-vista-win-7-any-alternatives?forum=windowssecurity ) seems to offer an alternative, but I don't know about a managed solution. – spender Mar 08 '14 at 13:00
  • http://www.codeproject.com/Articles/1490/Creating-a-shell-extension-with-C – spender Mar 08 '14 at 13:04
  • Amazing. Thanks for the response. I've successfully passed off my project with the flicker of the process appearing for a second. My professor didn't even notice. But I appreciate your comment as it exactly addresses my issue. Thanks – Saifur Rahman Mohsin Jun 14 '14 at 23:28

0 Answers0