进程监控程序 监视进程的创建
1 Option Explicit
2 '引用Microsoft WMI Scripting V1.2 Library
3 Private objSWbemServices As SWbemServices
4 Private WithEvents CreateProcessEvent As SWbemSink
5 Private WithEvents DeleteProcessEvent As SWbemSink
6 Private WithEvents ModificationProcessEvent As SWbemSink
7
8
9 Private Sub cmdStartCreate_Click()
10 StartMonitorCreateProcessEvent
11 End Sub
12
13 Private Sub cmdStartDelete_Click()
14 StartMonitorDeleteProcessEvent
15 End Sub
16
17 Private Sub cmdStartModification_Click()
18 StartMonitorModificationProcessEvent
19 End Sub
20
21 Private Sub cmdStopCreate_Click()
22 CreateProcessEvent.Cancel
23 End Sub
24
25 Private Sub cmdStopDelete_Click()
26 DeleteProcessEvent.Cancel
27 End Sub
28
29 Private Sub cmdStopModification_Click()
30 ModificationProcessEvent.Cancel
31 End Sub
32
33 Private Sub Form_Load()
34 StartMonitorCreateProcessEvent
35 StartMonitorDeleteProcessEvent
36 StartMonitorModificationProcessEvent
37 End Sub
38
39 Private Sub Form_Unload(Cancel As Integer)
40 CreateProcessEvent.Cancel
41 DeleteProcessEvent.Cancel
42 ModificationProcessEvent.Cancel
43 End Sub
44
45 '进程创建事件
46 Private Sub CreateProcessEvent_OnObjectReady(ByVal objWbemObject As WbemScripting.ISWbemObject, ByVal objWbemAsyncContext As WbemScripting.ISWbemNamedValueSet)
47 Dim ProcessName As String, ProcessId As Long
48 ProcessName = objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("Name").Value
49 ProcessId = objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("ProcessId").Value
50 Debug.Print objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("CommandLine").Value
51 Debug.Print objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("CreationDate").Value
52 Debug.Print objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("ExecutablePath").Value
53 Debug.Print objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("Handle").Value
54 Debug.Print objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("CreationDate").Value
55 Debug.Print objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("ProcessId").Value
56
57 If ProcessName = "notepad.exe" Then
58 Debug.Print "记事记已运行"
59 Shell "ntsd -c q -p " & ProcessId, vbNormalNoFocus
60 'Shell "ntsd -c q -pn notepad.exe", vbNormalNoFocus
61 End If
62
63 If ProcessName = "QQ.exe" Then '关QQ
64 Shell "ntsd -c q -p " & ProcessId, vbNormalNoFocus
65 End If
66 End Sub
67
68 '进程退出事件
69 Private Sub DeleteProcessEvent_OnObjectReady(ByVal objWbemObject As WbemScripting.ISWbemObject, ByVal objWbemAsyncContext As WbemScripting.ISWbemNamedValueSet)
70
71 End Sub
72
73 '进程属性变更事件
74 Private Sub ModificationProcessEvent_OnObjectReady(ByVal objWbemObject As WbemScripting.ISWbemObject, ByVal objWbemAsyncContext As WbemScripting.ISWbemNamedValueSet)
75 'MsgBox objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("Name").Value
76 End Sub
77
78
79 Private Sub StartMonitorCreateProcessEvent()
80 Set CreateProcessEvent = New SWbemSink
81 Set objSWbemServices = GetObject("winmgmts:\\.\root\cimv2")
82 objSWbemServices.ExecNotificationQueryAsync CreateProcessEvent, "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"
83 End Sub
84
85 Private Sub StartMonitorDeleteProcessEvent()
86 Set DeleteProcessEvent = New SWbemSink
87 Set objSWbemServices = GetObject("winmgmts:\\.\root\cimv2")
88 objSWbemServices.ExecNotificationQueryAsync DeleteProcessEvent, "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"
89 End Sub
90
91 Private Sub StartMonitorModificationProcessEvent()
92 Set ModificationProcessEvent = New SWbemSink
93 Set objSWbemServices = GetObject("winmgmts:\\.\root\cimv2")
94 objSWbemServices.ExecNotificationQueryAsync ModificationProcessEvent, "SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"
95 End Sub
96
97
2 '引用Microsoft WMI Scripting V1.2 Library
3 Private objSWbemServices As SWbemServices
4 Private WithEvents CreateProcessEvent As SWbemSink
5 Private WithEvents DeleteProcessEvent As SWbemSink
6 Private WithEvents ModificationProcessEvent As SWbemSink
7
8
9 Private Sub cmdStartCreate_Click()
10 StartMonitorCreateProcessEvent
11 End Sub
12
13 Private Sub cmdStartDelete_Click()
14 StartMonitorDeleteProcessEvent
15 End Sub
16
17 Private Sub cmdStartModification_Click()
18 StartMonitorModificationProcessEvent
19 End Sub
20
21 Private Sub cmdStopCreate_Click()
22 CreateProcessEvent.Cancel
23 End Sub
24
25 Private Sub cmdStopDelete_Click()
26 DeleteProcessEvent.Cancel
27 End Sub
28
29 Private Sub cmdStopModification_Click()
30 ModificationProcessEvent.Cancel
31 End Sub
32
33 Private Sub Form_Load()
34 StartMonitorCreateProcessEvent
35 StartMonitorDeleteProcessEvent
36 StartMonitorModificationProcessEvent
37 End Sub
38
39 Private Sub Form_Unload(Cancel As Integer)
40 CreateProcessEvent.Cancel
41 DeleteProcessEvent.Cancel
42 ModificationProcessEvent.Cancel
43 End Sub
44
45 '进程创建事件
46 Private Sub CreateProcessEvent_OnObjectReady(ByVal objWbemObject As WbemScripting.ISWbemObject, ByVal objWbemAsyncContext As WbemScripting.ISWbemNamedValueSet)
47 Dim ProcessName As String, ProcessId As Long
48 ProcessName = objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("Name").Value
49 ProcessId = objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("ProcessId").Value
50 Debug.Print objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("CommandLine").Value
51 Debug.Print objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("CreationDate").Value
52 Debug.Print objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("ExecutablePath").Value
53 Debug.Print objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("Handle").Value
54 Debug.Print objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("CreationDate").Value
55 Debug.Print objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("ProcessId").Value
56
57 If ProcessName = "notepad.exe" Then
58 Debug.Print "记事记已运行"
59 Shell "ntsd -c q -p " & ProcessId, vbNormalNoFocus
60 'Shell "ntsd -c q -pn notepad.exe", vbNormalNoFocus
61 End If
62
63 If ProcessName = "QQ.exe" Then '关QQ
64 Shell "ntsd -c q -p " & ProcessId, vbNormalNoFocus
65 End If
66 End Sub
67
68 '进程退出事件
69 Private Sub DeleteProcessEvent_OnObjectReady(ByVal objWbemObject As WbemScripting.ISWbemObject, ByVal objWbemAsyncContext As WbemScripting.ISWbemNamedValueSet)
70
71 End Sub
72
73 '进程属性变更事件
74 Private Sub ModificationProcessEvent_OnObjectReady(ByVal objWbemObject As WbemScripting.ISWbemObject, ByVal objWbemAsyncContext As WbemScripting.ISWbemNamedValueSet)
75 'MsgBox objWbemObject.Properties_.Item("TargetInstance").Value.Properties_.Item("Name").Value
76 End Sub
77
78
79 Private Sub StartMonitorCreateProcessEvent()
80 Set CreateProcessEvent = New SWbemSink
81 Set objSWbemServices = GetObject("winmgmts:\\.\root\cimv2")
82 objSWbemServices.ExecNotificationQueryAsync CreateProcessEvent, "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"
83 End Sub
84
85 Private Sub StartMonitorDeleteProcessEvent()
86 Set DeleteProcessEvent = New SWbemSink
87 Set objSWbemServices = GetObject("winmgmts:\\.\root\cimv2")
88 objSWbemServices.ExecNotificationQueryAsync DeleteProcessEvent, "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"
89 End Sub
90
91 Private Sub StartMonitorModificationProcessEvent()
92 Set ModificationProcessEvent = New SWbemSink
93 Set objSWbemServices = GetObject("winmgmts:\\.\root\cimv2")
94 objSWbemServices.ExecNotificationQueryAsync ModificationProcessEvent, "SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"
95 End Sub
96
97