Win32: Get message notification of other application's close/exit.
-
Hello , My application needs to monitor all other running applications on the system. Is there some way I could get notified on exit of every application exe? The methods I could find: 1) Use PSAPI functions to get the list of running exes at frequent intervals. At each poll compare with the previous list to find which application/process has exited. Disadvantage: Requires constant polling, will take CPU time. 2) Set a global hook for WM_CLOSE message: Using this I would be able to get a notification when any application gets closed through the close button on the title bar Disadvantage: (-) Not all the applications are generating a WM_CLOSE message (Ex: Total Video Player Exe) (-) If the application was closed through the "Exit" menu or button (e.g. File->Exit) , I can't trap that message Is there any other better way that I missed? Please advise.
-
Hello , My application needs to monitor all other running applications on the system. Is there some way I could get notified on exit of every application exe? The methods I could find: 1) Use PSAPI functions to get the list of running exes at frequent intervals. At each poll compare with the previous list to find which application/process has exited. Disadvantage: Requires constant polling, will take CPU time. 2) Set a global hook for WM_CLOSE message: Using this I would be able to get a notification when any application gets closed through the close button on the title bar Disadvantage: (-) Not all the applications are generating a WM_CLOSE message (Ex: Total Video Player Exe) (-) If the application was closed through the "Exit" menu or button (e.g. File->Exit) , I can't trap that message Is there any other better way that I missed? Please advise.
WindowsPistha wrote:
Not all the applications are generating a WM_CLOSE message (Ex: Total Video Player Exe) (-) If the application was closed through the "Exit" menu or button (e.g. File->Exit) , I can't trap that message
Why don't you capture WM_QUIT instead? This is the only message that finally halts the Message Loop. But, you won't be able to track abnormal termination of an application with this.
-
WindowsPistha wrote:
Not all the applications are generating a WM_CLOSE message (Ex: Total Video Player Exe) (-) If the application was closed through the "Exit" menu or button (e.g. File->Exit) , I can't trap that message
Why don't you capture WM_QUIT instead? This is the only message that finally halts the Message Loop. But, you won't be able to track abnormal termination of an application with this.
Taran9 wrote:
Why don't you capture WM_QUIT instead? This is the only message that finally halts the Message Loop. But, you won't be able to track abnormal termination of an application with this.
But our application needs to handle that case too.
-
Taran9 wrote:
Why don't you capture WM_QUIT instead? This is the only message that finally halts the Message Loop. But, you won't be able to track abnormal termination of an application with this.
But our application needs to handle that case too.
Just out of curiousity, what kind of an application are you writing?
It is a crappy thing, but it's life -^ Carlo Pallini
-
Taran9 wrote:
Why don't you capture WM_QUIT instead? This is the only message that finally halts the Message Loop. But, you won't be able to track abnormal termination of an application with this.
But our application needs to handle that case too.
You will need to hook APIs like
TerminateProcessin addition to installing a message hook.«_Superman_» I love work. It gives me something to do between weekends.
-
Hello , My application needs to monitor all other running applications on the system. Is there some way I could get notified on exit of every application exe? The methods I could find: 1) Use PSAPI functions to get the list of running exes at frequent intervals. At each poll compare with the previous list to find which application/process has exited. Disadvantage: Requires constant polling, will take CPU time. 2) Set a global hook for WM_CLOSE message: Using this I would be able to get a notification when any application gets closed through the close button on the title bar Disadvantage: (-) Not all the applications are generating a WM_CLOSE message (Ex: Total Video Player Exe) (-) If the application was closed through the "Exit" menu or button (e.g. File->Exit) , I can't trap that message Is there any other better way that I missed? Please advise.
- Use WMI, as shown in this message[^]. The sample code is VBScript (and would need to be rewritten as below), but it works well enough.
' Get a reference to the WMI service
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
' Open a WMI query for __instancedeletionevents where the target instance is a Win32_Process
Set colMonitoredProcesses = objWMIService. _
ExecNotificationQuery("select * from __instancedeletionevent " & _
"within 1 where TargetInstance isa 'Win32_Process'")
' This call will complete the next time a process is deleted.
colMonitoredProcesses.NextEventJava, Basic, who cares - it's all a bunch of tree-hugging hippy cr*p
-
Hello , My application needs to monitor all other running applications on the system. Is there some way I could get notified on exit of every application exe? The methods I could find: 1) Use PSAPI functions to get the list of running exes at frequent intervals. At each poll compare with the previous list to find which application/process has exited. Disadvantage: Requires constant polling, will take CPU time. 2) Set a global hook for WM_CLOSE message: Using this I would be able to get a notification when any application gets closed through the close button on the title bar Disadvantage: (-) Not all the applications are generating a WM_CLOSE message (Ex: Total Video Player Exe) (-) If the application was closed through the "Exit" menu or button (e.g. File->Exit) , I can't trap that message Is there any other better way that I missed? Please advise.
I don't know if this is possible, but I'd explore the possibility of getting a list of running exes. Duplicate their handle. Wait on that handle.
Anyone who thinks he has a better idea of what's good for people than people do is a swine. - P.J. O'Rourke
-
- Use WMI, as shown in this message[^]. The sample code is VBScript (and would need to be rewritten as below), but it works well enough.
' Get a reference to the WMI service
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
' Open a WMI query for __instancedeletionevents where the target instance is a Win32_Process
Set colMonitoredProcesses = objWMIService. _
ExecNotificationQuery("select * from __instancedeletionevent " & _
"within 1 where TargetInstance isa 'Win32_Process'")
' This call will complete the next time a process is deleted.
colMonitoredProcesses.NextEventJava, Basic, who cares - it's all a bunch of tree-hugging hippy cr*p
Stuart Dootson wrote:
- Use WMI, as shown in this message[^]. The sample code is VBScript (and would need to be rewritten as below), but it works well enough.
Does this required WMI service running in the machine. If it is turned off , will i able to catch this event "__InstanceCreationEvent" Thanks
-
Stuart Dootson wrote:
- Use WMI, as shown in this message[^]. The sample code is VBScript (and would need to be rewritten as below), but it works well enough.
Does this required WMI service running in the machine. If it is turned off , will i able to catch this event "__InstanceCreationEvent" Thanks
WindowsPistha wrote:
Does this required WMI service running in the machine.
Yes, if you want your application to be capable of monitoring process creation/termination and also not rely on any Microsoft services then you will need to implement your own device driver. Typically anti-virus and other types of security products are using PsSetCreateProcessNotifyRoutine[^] to be notified of process creation and termination. An example of its usage is available here on codeproject: Detecting Windows NT/2K process execution[^] Best Wishes, -David Delaune
-
WindowsPistha wrote:
Does this required WMI service running in the machine.
Yes, if you want your application to be capable of monitoring process creation/termination and also not rely on any Microsoft services then you will need to implement your own device driver. Typically anti-virus and other types of security products are using PsSetCreateProcessNotifyRoutine[^] to be notified of process creation and termination. An example of its usage is available here on codeproject: Detecting Windows NT/2K process execution[^] Best Wishes, -David Delaune
Hello, I am also looking for a similar solution. My Questions are: 1) The solution requires DDK to be installed. Where can I download DDK from ? 2) Will this solution work on Vista ? Thanks.
Top 10, Top ten, Top 10 lists, Top ten lists Top 10 about everything
-
Hello , My application needs to monitor all other running applications on the system. Is there some way I could get notified on exit of every application exe? The methods I could find: 1) Use PSAPI functions to get the list of running exes at frequent intervals. At each poll compare with the previous list to find which application/process has exited. Disadvantage: Requires constant polling, will take CPU time. 2) Set a global hook for WM_CLOSE message: Using this I would be able to get a notification when any application gets closed through the close button on the title bar Disadvantage: (-) Not all the applications are generating a WM_CLOSE message (Ex: Total Video Player Exe) (-) If the application was closed through the "Exit" menu or button (e.g. File->Exit) , I can't trap that message Is there any other better way that I missed? Please advise.
Hello, This is the solution I found from another source: ======================================================= Apart from WMI, a nice and elegant way to do that is to place a small DLL "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs" (see also http://support.microsoft.com/kb/197571 - "Working with the AppInit_DLLs registry value") DLLs listed in AppInit_DLLs will be loaded into every newly created process and will allow you to perform any notification via the DLL's 'DllMain(). Let me know, if you need help with source code.
Top 10, Top ten, Top 10 lists, Top ten lists Top 10 about everything
-
Hello, I am also looking for a similar solution. My Questions are: 1) The solution requires DDK to be installed. Where can I download DDK from ? 2) Will this solution work on Vista ? Thanks.
Top 10, Top ten, Top 10 lists, Top ten lists Top 10 about everything
Hello there.
Identity Undisclosed wrote:
- The solution requires DDK to be installed. Where can I download DDK from ?
The marketing people over at Microsoft change the name of their products every few years which really drives me crazy. The Microsoft DDK is now called WDK (Windows Driver Kit[^]) and the Download Kits and Tools[^] page will eventually bring you to the direct download link.
Identity Undisclosed wrote:
- Will this solution work on Vista ?
Yes the PsSetCreateProcessNotifyRoutine [^] callback is avilable for Windows Vista and the driver will function correctly. However, Vista is very strict about loading unsigned drivers. You will need to sign the driver in order for Vista to load it. Below are some methods to get around the issue during the development phase: Installing an Unsigned Driver during Development and Test[^] TESTSIGNING Boot Configuration Option[^] Best Wishes, -David Delaune
-
Hello, This is the solution I found from another source: ======================================================= Apart from WMI, a nice and elegant way to do that is to place a small DLL "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs" (see also http://support.microsoft.com/kb/197571 - "Working with the AppInit_DLLs registry value") DLLs listed in AppInit_DLLs will be loaded into every newly created process and will allow you to perform any notification via the DLL's 'DllMain(). Let me know, if you need help with source code.
Top 10, Top ten, Top 10 lists, Top ten lists Top 10 about everything
Just wanted to add some comments for your consideration. The AppInit_DLLs entry will not have any effect on applications which are not linked with user32.dll. Generally this isn't much of an issue because 99% of all usermode applications are linked against user32. However if your developing a security product then this might not be acceptable. Also you need to be aware that the future of AppInit DLLs is uncertain and is changing. Just like loading device drivers, future AppInit DLLs will have a code signature requirement. Microsoft has outlined this new behavior here: AppInit DLLs in Windows 7 and Windows Server 2008 R2[^] Best Wishes, -David Delaune