davidmcveigh has asked for the wisdom of the Perl Monks concerning the following question:

I am looking for a way to detect new processes on a Win32 machine as they are created.

I am currently using the Win32::OLE module to get a list of all the running processes.
This code I got from "Win32 Perl Scripting" by Dave Roth and is quite straightforward.

Can anyone please help as the deadline is approaching fast...

The process list code is as follows: 

#  WMI_PS.pl
use Win32::OLE qw( in );

$Machine = "." unless( $Machine = shift @ARGV );
$Machine =~ s#^[\\/]+## if( $ARGV[0] =~ m#^[\\/]{2}# );

# This is the WMI moniker that will connect to a machine's 
# CIM (Common Information Model) repository
$CLASS = "WinMgmts:{impersonationLevel=impersonate}!//
$Machine";

# Get the WMI (Microsoft's implementation of WBEM) interface
$WMI = Win32::OLE->GetObject( $CLASS ) 
  || die "Unable to connect to \\$Machine:" . Win32::OLE->LastError();

# Get the collection of Win32_Process objects
$ProcList = $WMI->InstancesOf( "Win32_Process" );

$~ = PROCESS_HEADER;
write;
$~ = PROCESS_INFO;

# Cycle through each Win32_Process object 
# and write out its details...
foreach $Proc ( sort( SortProcs ( in( $ProcList ) ) ) )
{
    write;    
}

sub SortProcs 
{
  lc $a->{Name} cmp lc $b->{Name};
}

sub FormatNumber
{
    my( $Number ) = @_;
    my( $Suffix ) = "";
    my $K = 1024;
    my $M = 1024 * $K;

    if( $M <= $Number )
    {
        $Suffix = "M";
        $Number /= $M;
    }
    elsif( $K <= $Number )
    {
        $Suffix = "K";
        $Number /= $K;
    }

    $Number =~ s/(\.\d{0,2})\d*$/$1/;

    {} while ($Number =~ s/^(-?\d+)(\d{3})/$1,$2/);

    return( $Number . $Suffix );
}

sub FormatDate
{
    my( $Date ) = @_;
    $Date =~ s/(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2}).*/$1.$2.$3 $
+4:$5:$6/;
    return( $Date );
}

format PROCESS_HEADER =
@||| @||||| @|||||||||||||||| @|||| @|||||| @||||||| @||||||||||||||||
+||
PID, Parent, "Process Name", "Thrds", "Memory", "Mem Peak", "Created"
---- ------ ----------------- ----- ------- -------- -----------------
+--
.

format PROCESS_INFO =
@||| @||||| @<<<<<<<<<<<<<<<< @>>>> @>>>>>> @>>>>>>> @>>>>>>>>>>>>>>>>
+>>
$Proc->{'ProcessID'}, $Proc->{'ParentProcessID'}, $Proc->{Name}, $Proc
+->{'ThreadCount'}, FormatNumber( $Proc->{'WorkingSetSize'} ), FormatN
+umber( $Proc->{'PeakWorkingSetSize'} ), FormatDate( $Proc->{'Creation
+Date'} )
.

[download]

jdporter - added code tags

  • Comment on Detect new processes on a Win32 machine as they are created using Win32::OLE
  • Download Code

Replies are listed 'Best First'.
Re: Detect new processes on a Win32 machine as they are created using Win32::OLE
by jfroebe (Parson) on Mar 18, 2004 at 21:52 UTC
    Hi,

    I believe what you are looking for is a trigger that fires whenever a process is started... you need to run it in the NT kernel - the easiest method to do so is to write a device driver for this.

[reply]
Re: Detect new processes on a Win32 machine as they are created using Win32::OLE
by matija (Priest) on Mar 18, 2004 at 20:38 UTC
    Well, I think ProcessID is the unique identifier for the processes. On the first iteration simply stuff every ProcessID you find into a hash, then on next iteration print out those that didn't appear in the hash.
[reply]
      Thats a race condition, What happens to the processes that are created and end between the hash++ loop?


      -Waswas
[reply]
        That depends on what he needs the list of new processes for. If it is for something as simple as highlighting new processes in a listing, he wouldn't care about processes that have already exited.

        However, the only way I can see of making sure you'd see every process, no matter how fast it exited, is by some sort of a callback that would be triggered by process creation. Perhaps the Win32 API offers that, I don't know. But that's not the question that was asked.

[reply]

Back to Seekers of Perl Wisdom