Is there a way to monitor processes starting in the system before they start?
Example:
On programs like ZoneAlarm or Antivirus programs, when you run a program it asks you if you allow running this program or not before it runs...
There's a few ways to do this. If you only need to track process creation coming from a specific program (or a few programs), the EasyHook/Detours method mentioned here will work pretty well, but you effectively need to install a hook on CreateProcess into each program, so it's not a great solution if you want to track all process creation in the system.
There's a specific API for this in NT-based Windows variants (NT/2000/XP/Vista) called PsSetCreateProcessNotifyRoutine(). Unfortunately, you can only call this function from ring0, so it needs to be done in a driver. There's a handy explanation (and code) in this CodeProject article: http://www.codeproject.com/KB/threads/procmon.aspx.
AFAIK, this is just a notification, and does not by itself allow you to tell the system whether the process should be created or not. However, if you needed to do this, you could pause the process (e.g. by attaching to it as a debugger) while your code decides whether to kill it or not.
You should check out the easyhook-continuing-detours project, which is a .NET port of the Microsoft Detours project. It will allow you to hook unmanaged APIs (such as CreateProcess). Check out code examples for a simple FileMon-like program here.
You can find out when processes start via using a real-time ETW consumer - however, to be able to take some action that could possibly cancel the process from starting, you'll have to do something shady / undocumented, like hooking CreateProcess, or using a kernel filter driver to block reads to the EXE.
Just use process creation notifications .
It's included in Windows.
You don't need to hook anything.
Related
I am currently looking for a solution in C# how to capture window-messages like WM_MINIMIZE for another application for which I do not have any source code, for example Notepad. My goal is to prevent a user or the system from minimizing a certain application. So my basic idea is to have a process running that filters all Window-messages, and just does nothing, unless a message is posted to the application I define (for example by knowing the window-handle of the applications mainwindow), and then look if this message is a certain size-operation, like WM_MINIMIZE. Only in this case, the message should be removed from the Windows message queue.
What would be a first approach to achieve this? At the moment I am stuck a little bit at finding online resources because most topics concerning resizing deal about messages of own applications, but not to control messages posted to other, external applications running on the same computer.
Either you trap all messages of windows by creating a dll which does a global hook (in c++) (risk of slowdown the OS)
Either You have something to hook the program and in this case:
EasyHook is your friend
Is there any good way to handle a forced exit in C#?
I have a formless C# application that talks to an LCD over serial. Once the application is running, the only way to kill it is with task manager. The trouble with this is that the program needs to turn the LCD off when it is done, and it doesn't look as if my Application.ApplicationExit event is ever fired in this condition.
Any ideas?
Once the application is running, the only way to kill it is with task manager.
My big idea would be to change this.
Stick an icon in the notification area that the user can use to shut your app down properly, or set it up so that running the app again will instead shut down an already-running instance if one exists, or any other way that sounds like a good idea.
Requiring a user to use Task Manager to shut down your application screams poor design.
Write a code in your program loop (with a timer perhaps) to read a file or a registry key. For example if a file at C:\YOURPROGRAM\CLOSEME contains text "closeme", close your program gracefully. Write another program that write that C:\YOURPROGRAM\CLOSEME file. So, whenever you want to shutdown your program, don't use taskmanager, instead, open second program.
Some options:
Write a separate process with a GUI that can start and stop the main process. For example, when you install the Apache web server on Windows the server itself is installed as a service. It can be started and stopped from the system services management panel, but it also comes with a "monitor" process that sits in the notification area, tells you whether Apache is running and lets you start or stop it manually.
If it's acceptable for your use-case, make the application a console application. You can register a handler for when the user presses CTRL+C (see Console.CancelKeyPress) that performs your cleanup before your process exits. This still won't let you handle someone killing the process from Task Manager, but it's very easy to do and might be good enough depending on your situation.
Ok if anyone can solve this they must be a genius because its nowhere on the web!
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
This program detects registry accesses and tells you which process did it.
Does anyone know how i can do this? I can detect changes, but i cant get the process.
Thanks in advance
It's done by hooking system calls. It hooks calls to RegOpenKey (etc) and records all the information about the process accessing the registry before passing the call to the real RegOpenKey.
See EasyHook for a library that makes it relatively easy to write API hooks in Windows.
However, when I say "easy", I actually mean "here be monsters!" API hooking is not for the faint of heart and you should have a very good working knowledge of the internals of Windows before you attempt it.
If you just want to find out what's doing it, then you can use ProcessMonitor, or one of the other derivations of those tools from Sysinternals, now run by Microsoft as Winternals. See the list of programs here.
If you want to write a program to do it, you'll have to hook the registry access functions. The source code for that can be found in archives of the Sysinternals tools. It doesn't seem to be available anymore with the program.
I know something about MACROS. I don't mean the ASSEMBLY language kind. I am talking about those programs that you can use perform repetitions actions on another program. I am talking about those programs that you can use to record a series of events on your computer, like, mouse movements and button clicks and then you can play them back. Some of them are elaborate enough to run only on a paricular app that you designate.
I wrote one of sorts once. It was a program that launched an Excel sessions and then used the dynamic data exchage pipe of some kind to feed the excell session script commands. It worked.
But something on the level of the operating system, I imagine, is a whole different story.
How does someone go about writing a "macro" in C#?
I think the approach I will take is to use the spy routine that comes with the development environment to get a list of the proper messages and parameters (wm_lbuttondown for example) and then use dynamic data exchange to send those messages to the app.
So I have three questions.
Is this the best way to do this?
How do I get a handle to an app that is already running?
How do I send user-like messages to an app that is already running?
There are different answers based on many following factors:
is it 3rd party or your own
application?
does it have automation interface
GUI toolkit used in app
If it is a 3rd party app then you need to work on Windows API level via PInvoke - subclassing WinMain proc, capturing and sending input messages, etc. There are 3rd party library for that task. C# obviously is not a right choice for such task.
In case application has automation model (like Excel) it's a pretty straight forward to write program that will be interact with this app.
If it's your own application you want to enhance with macros functionality then you should take this into account on design state. If you use Command pattern from the beginning then it's not hard to program macro recording.
You should provide more details to get a better answer.
Oh, I almost forgot to answer those three questions
Is this the best way to do this?
Depends on concrete scenario
How do I get a handle to an app that is already running?
Depends on application. If it's a native Win app you can easily get process Id and window's handle via WinApi.
How do I send user-like messages to an app that is already running?
Once again it depends on application type. For native win apps you can easily send WM_XXX messages via WinAPI
Unless its something you need to add in your own program you can just download a keyboard/mouse macro program and use it to perform these repeatable actions.
On the other hand to perform macro's in your own program you would want to find a way to record the buttons clicked and write them to a temporary list that can be saved and then run the list by clicking the buttons (programmically).
Is there a way to monitor processes starting in the system before they start?
Example:
On programs like ZoneAlarm or Antivirus programs, when you run a program it asks you if you allow running this program or not before it runs...
There's a few ways to do this. If you only need to track process creation coming from a specific program (or a few programs), the EasyHook/Detours method mentioned here will work pretty well, but you effectively need to install a hook on CreateProcess into each program, so it's not a great solution if you want to track all process creation in the system.
There's a specific API for this in NT-based Windows variants (NT/2000/XP/Vista) called PsSetCreateProcessNotifyRoutine(). Unfortunately, you can only call this function from ring0, so it needs to be done in a driver. There's a handy explanation (and code) in this CodeProject article: http://www.codeproject.com/KB/threads/procmon.aspx.
AFAIK, this is just a notification, and does not by itself allow you to tell the system whether the process should be created or not. However, if you needed to do this, you could pause the process (e.g. by attaching to it as a debugger) while your code decides whether to kill it or not.
You should check out the easyhook-continuing-detours project, which is a .NET port of the Microsoft Detours project. It will allow you to hook unmanaged APIs (such as CreateProcess). Check out code examples for a simple FileMon-like program here.
You can find out when processes start via using a real-time ETW consumer - however, to be able to take some action that could possibly cancel the process from starting, you'll have to do something shady / undocumented, like hooking CreateProcess, or using a kernel filter driver to block reads to the EXE.
Just use process creation notifications .
It's included in Windows.
You don't need to hook anything.