Initially, determine the creation time for all running processes. then use WMI to log process events.
See the code below for a small example of using WMI for process creation events:
static void Main(string[] args) { using (ManagementEventWatcher eventWatcher = new ManagementEventWatcher(@"SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'")) {
START EDIT:
Next, I examined process detection with WMI, and there is a (more) relevant solution (but needs administrative privileges) using the Win32_ProcessStartTrace class (see TECHNET for more information):
using (ManagementEventWatcher eventWatcher = new ManagementEventWatcher(@"SELECT * FROM Win32_ProcessStartTrace")) { // Subscribe for process creation notification. eventWatcher.EventArrived += ProcessStarted_EventArrived; eventWatcher.Start(); Console.Out.WriteLine("started"); Console.In.ReadLine(); eventWatcher.EventArrived -= ProcessStarted_EventArrived; eventWatcher.Stop(); } static void ProcessStarted_EventArrived(object sender, EventArrivedEventArgs e) { Console.Out.WriteLine("ProcessName: {0} " + e.NewEvent.Properties["ProcessName"].Value); }
In this solution, you do not need to set the polling interval.
End edit
START EDIT 2:
You can use the Win32_ProcessStopTrace class to track process stop events. To combine both processes and process stop events, use the Win32_ProcessTrace class. In the event handler, use ClassPath proberty to distinguish between start / stop events:
using (ManagementEventWatcher eventWatcher = new ManagementEventWatcher(@"SELECT * FROM Win32_ProcessTrace")) { eventWatcher.EventArrived += Process_EventArrived; eventWatcher.Start(); Console.Out.WriteLine("started"); Console.In.ReadLine(); eventWatcher.EventArrived -= Process_EventArrived; eventWatcher.Stop(); } static void Process_EventArrived(object sender, EventArrivedEventArgs e) { Console.Out.WriteLine(e.NewEvent.ClassPath);
END EDIT 2