/// <summary> /// Creates the Warden service which monitors processes on the computer. /// </summary> /// <param name="options"></param> public static void Initialize(WardenOptions options) { if (!Api.IsAdmin()) { throw new WardenManageException(Resources.Exception_No_Admin); } Options = options ?? throw new WardenManageException(Resources.Exception_No_Options); try { ShutdownUtils.RegisterEvents(); var wmiOptions = new ConnectionOptions() { Authentication = AuthenticationLevel.Default, EnablePrivileges = true, Impersonation = ImpersonationLevel.Impersonate }; var scope = new ManagementScope(string.Format(@"\\{0}\root\cimv2", Environment.MachineName), wmiOptions); scope.Connect(); _processStartEvent = new ManagementEventWatcher(scope, new WqlEventQuery { EventClassName = "Win32_ProcessStartTrace" }); _processStopEvent = new ManagementEventWatcher(scope, new WqlEventQuery { EventClassName = "Win32_ProcessStopTrace" }); _processStartEvent.EventArrived += ProcessStarted; _processStopEvent.EventArrived += ProcessStopped; _processStartEvent.Start(); _processStopEvent.Start(); Initialized = true; Logger?.Debug("Initialized"); } catch (Exception ex) { throw new WardenException(ex.Message, ex); } }
/// <summary> /// Fired when a process dies. /// </summary> /// <param name="sender"></param> /// <param name="e"></param> private static void ProcessStopped(object sender, EventArrivedEventArgs e) { try { var targetInstance = (ManagementBaseObject)e.NewEvent["TargetInstance"]; var processId = int.Parse(targetInstance["ProcessId"].ToString()); targetInstance.Dispose(); e.NewEvent.Dispose(); try { HandleStoppedProcess(processId); Logger?.Debug($"{processId} stopped"); } catch (Exception ex) { Logger?.Error(ex.ToString()); } } catch (Exception ex) { Logger?.Error(ex.ToString()); } }