0

A process could be spawned using WMI COM, below example of spawning calc.exe in VBS. The parent would be WmiPrvSE.exe that is WMI COM server rather than wscript.exe. The task is to hook below request for process creation. 

str = "calc.exe"
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
objProcess.Create str, Null, objConfig, intProcessID

Asynchronous process creation using WMI can be monitored using query:

"SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Post WHERE ObjectPath=\"Win32_Process\" AND MethodName=\"Create\"";

An event is triggered when the above VBS script is executed.But the ManagementEventWatcher receives event that gives useful info only command line:

void OnEventArrived(object sender, System.Management.EventArrivedEventArgs e)
{
string cmdline = e.NewEvent["InputParameters"]["ProcessStartupInformation"]["CommandLine"]
}

and impossible to know that VBS originated the spawning calc.exe. I need source and destination PID, that is "wscript.exe sample.vbs" PID=666 created "calc.exe" PID=667 using WMI. How to do this? Additionally, is there possibility to prevent process creation on MSFT_WmiProvider_ExecMethodAsyncEvent_Pre event?

user3874158
  • 45
  • 6
  • I've updated the answer with a link so you can use a more specific property, but unfortunately I'm not exactly sure what you're looking for. – Svek Feb 14 '17 at 17:45
  • The query in 1st post finds processes created using WMI COM, not just created using CreateProcess. A parent is not a requestor but WmiPrvSE.exe. Code in VBS to do this added to root post. – user3874158 Feb 15 '17 at 13:22

1 Answers1

0

Try the Process.Id property.

Process[] localByName = Process.GetProcessesByName("notepad");
int i = localByName.Length;
while (i > 0)
{
    // You can use the process Id to pass to other applications or to
    // reference that particular instance of the application.
    Console.WriteLine(localByName[i - 1].Id.ToString());
    i -= 1;
}

Otherwise, if you need to enumerate using a different property, check them out here.

Svek
  • 12,350
  • 6
  • 38
  • 69
  • 1
    FYI this code can be simplified to: `foreach (var proc in Process.GetProcessesByName("notepad")) { Console.WriteLine(proc.Id); }`. – Quantic Feb 14 '17 at 17:31
  • Not every Notepad was created using WMI. I need to know specific one created using specific post event. Possible to enumerate PIDs and to find newly created one, but this is not a direct and not 100% safe solution. – user3874158 Feb 14 '17 at 17:39
  • Then query based on a different property https://msdn.microsoft.com/en-us/library/system.diagnostics.process(v=vs.110).aspx – Svek Feb 14 '17 at 17:42