我碰巧在这里看到了以下部分代码.
$Obj.ExecNotificationQueryAsync($hObj, "SELECT * FROM __InstanceCreationEvent WITHIN 0.5 WHERE TargetInstance ISA 'Win32_Process'")
$Obj.ExecNotificationQueryAsync($hObj, "SELECT * FROM __InstanceDeletionEvent WITHIN 0.5 WHERE TargetInstance ISA 'Win32_Process'")
Switch $OB.Path_.Class
Case "__InstanceCreationEvent"
ConsoleWrite("+~>" & _ProcessGetPath($OB.TargetInstance.ProcessID) & @CR)
Case "__InstanceDeletionEvent"
ConsoleWrite("!~>" & $OB.TargetInstance.ProcessID & @CR)
EndSwitch
我使用相同的WQL查询来监视进程C++.是否存在类似的东西C++,我可以知道它是创建还是终止进程.我尝试使用__CLASS,但它输出为Win32_Process.我在编码MSVS2010.
请帮忙.Thankyou
编辑1:添加了WQL查询
hres = pSvc->ExecNotificationQueryAsync(
_bstr_t("WQL"),
_bstr_t("SELECT * "
"FROM __InstanceDeletionEvent WITHIN 1 "
"WHERE TargetInstance ISA 'Win32_Process' "),
WBEM_FLAG_SEND_STATUS,
NULL,
pStubSink);
hres = pSvc->ExecNotificationQueryAsync( …