为了使用单个WQL语句检测进程的创建和终止,您可以像这样使用__InstanceOperationEvent类.
Select * From __InstanceOperationEvent Within 1 Where TargetInstance ISA Win32_Process
然后,如果要确定到达的事件的类型(类),则必须确定__Class属性.
试试这个样本
HRESULT EventSink::Indicate(long lObjectCount,
IWbemClassObject **apObjArray)
{
HRESULT hr = S_OK;
_variant_t vtProp;
for (int i = 0; i < lObjectCount; i++)
{
bool CreateorDel = false;
_variant_t cn;
hr = apObjArray[i]->Get(_bstr_t(L"__Class"), 0, &cn, 0, 0);
if (SUCCEEDED(hr))
{
wstring LClassStr(cn.bstrVal);
if (0 == LClassStr.compare(L"__InstanceDeletionEvent") )
{
wcout << "Deletion" << endl;
CreateorDel = true;
}
else if (0 == LClassStr.compare(L"__InstanceCreationEvent"))
{
wcout << "Creation" << endl;
CreateorDel = true;
}
else
{
CreateorDel = false;
//wcout << "Modification " << endl;
}
}
VariantClear(&cn);
if (CreateorDel)
{
hr = apObjArray[i]->Get(_bstr_t(L"TargetInstance"), 0, &vtProp, 0, 0);
if (!FAILED(hr))
{
IUnknown* str = vtProp;
hr = str->QueryInterface( IID_IWbemClassObject, reinterpret_cast< void** >( &apObjArray[i] ) );
if ( SUCCEEDED( hr ) )
{
_variant_t cn;
hr = apObjArray[i]->Get( L"Name", 0, &cn, NULL, NULL );
if ( SUCCEEDED( hr ) )
{
if ((cn.vt==VT_NULL) || (cn.vt==VT_EMPTY))
wcout << "Name : " << ((cn.vt==VT_NULL) ? "NULL" : "EMPTY") << endl;
else
wcout << "Name : " << cn.bstrVal << endl;
}
VariantClear(&cn);
hr = apObjArray[i]->Get( L"Handle", 0, &cn, NULL, NULL );
if ( SUCCEEDED( hr ) )
{
if ((cn.vt==VT_NULL) || (cn.vt==VT_EMPTY))
wcout << "Handle : " << ((cn.vt==VT_NULL) ? "NULL" : "EMPTY") << endl;
else
wcout << "Handle : " << cn.bstrVal << endl;
}
VariantClear(&cn);
}
}
VariantClear(&vtProp);
}
}
return WBEM_S_NO_ERROR;
}
扫一扫
344
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
