Han*_*ant 65
WMI提供了一种跟踪Win32_ProcessTrace类开始和终止进程的方法.最好的例子.启动一个新的控制台应用程序,Project + Add Reference,选择System.Management.粘贴此代码:
using System;
using System.Management;
class Process {
public static void Main() {
ManagementEventWatcher startWatch = new ManagementEventWatcher(
new WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace"));
startWatch.EventArrived += new EventArrivedEventHandler(startWatch_EventArrived);
startWatch.Start();
ManagementEventWatcher stopWatch = new ManagementEventWatcher(
new WqlEventQuery("SELECT * FROM Win32_ProcessStopTrace"));
stopWatch.EventArrived += new EventArrivedEventHandler(stopWatch_EventArrived);
stopWatch.Start();
Console.WriteLine("Press any key to exit");
while (!Console.KeyAvailable) System.Threading.Thread.Sleep(50);
startWatch.Stop();
stopWatch.Stop();
}
static void stopWatch_EventArrived(object sender, EventArrivedEventArgs e) {
Console.WriteLine("Process stopped: {0}", e.NewEvent.Properties["ProcessName"].Value);
}
static void startWatch_EventArrived(object sender, EventArrivedEventArgs e) {
Console.WriteLine("Process started: {0}", e.NewEvent.Properties["ProcessName"].Value);
}
}
编辑清单,以便此程序运行升级.然后只需启动一些程序即可查看它的工作情况.请注意,它不是特别快.
您将无法使用该Process课程执行此操作.但是,应该可以通过在Windows中配置审计进程跟踪来确定上次运行应用程序的时间.以下链接可能会帮助您入门:
进程跟踪将在Windows事件日志中创建条目,然后您可以使用C#进行访问.