WMI Events can't get User | ManagementEventWatcher, __INstanceCreationEvent, Win32_Process GetOwner
-
Ultimately I wish to have my app watch for any new processes recording the command line and the owner. I can get the processID, Name, and CommandLine without any issues however since the ManagementEventWatcher returns a ManagementBaseObject and not a ManagementObject (which has a method for .GetOwner) I cannot seem to get the owner. What I have tried. - I looked through the properties of the ManagementBaseObject, no method for GetOwner or a property for User. - I pulled the ProcessID from the ManagementBaseObject (mboEvent["TargetInstance"])["ProcessID"].ToString(). This works as I can get a ManagementObject and then use GetOwner... The second item does work except that it only works on a slower command (for example Powershell.exe Get-Process) as the process still exists at the time of the query. But quicker commands (like net use or powershell.exe get-services) don't return a username as the process is gone by the time I query for it. Any help would be amazing, thanks in advance for any help you can give.
-
Ultimately I wish to have my app watch for any new processes recording the command line and the owner. I can get the processID, Name, and CommandLine without any issues however since the ManagementEventWatcher returns a ManagementBaseObject and not a ManagementObject (which has a method for .GetOwner) I cannot seem to get the owner. What I have tried. - I looked through the properties of the ManagementBaseObject, no method for GetOwner or a property for User. - I pulled the ProcessID from the ManagementBaseObject (mboEvent["TargetInstance"])["ProcessID"].ToString(). This works as I can get a ManagementObject and then use GetOwner... The second item does work except that it only works on a slower command (for example Powershell.exe Get-Process) as the process still exists at the time of the query. But quicker commands (like net use or powershell.exe get-services) don't return a username as the process is gone by the time I query for it. Any help would be amazing, thanks in advance for any help you can give.
Try casting the managementbaseobject as managementobject, often works. Example at : wmi - Convert .Net ManagementBaseObject to ManagementObject - Stack Overflow[^]
-
Try casting the managementbaseobject as managementobject, often works. Example at : wmi - Convert .Net ManagementBaseObject to ManagementObject - Stack Overflow[^]
Brilliant ! Thank you so much for the quick response. You saved me hours. I very much appreciate it.