C# .NET WMI事件监控进程的启动和停止

  1. 针对 .Net Framework 在 Windows 上大量监控进程的启动和停止,并且系统资源占用低的方法。
  2. 本方法主要是使用WMI进行实现的

1.监控全部进程启动停止

using System.Management;// 需要添加对System.Management.dll的引用
static void Main(string[] args)
{
    Console.WriteLine($"开始通过WMI监控进程,按任意键退出...");
    // 创建进程启动事件查询 - 监控所有进程创建
    WqlEventQuery startQuery = new WqlEventQuery(
        "__InstanceCreationEvent", new TimeSpan(0, 0, 1), "TargetInstance isa 'Win32_Process'");

    // 创建进程终止事件查询 - 监控所有进程终止
    WqlEventQuery stopQuery = new WqlEventQuery(
        "__InstanceDeletionEvent",  new TimeSpan(0, 0, 1), "TargetInstance isa 'Win32_Process'");

    ManagementEventWatcher startWatcher = new ManagementEventWatcher(startQuery);
    ManagementEventWatcher stopWatcher = new ManagementEventWatcher(stopQuery);

    startWatcher.EventArrived += new EventArrivedEventHandler(ProcessStarted);
    stopWatcher.EventArrived += new EventArrivedEventHandler(ProcessStopped);

    startWatcher.Start();
    stopWatcher.Start();

    Console.ReadKey(); // 阻塞,直到按键

    startWatcher.Stop();
    stopWatcher.Stop();
}
private static void ProcessStarted(object sender, EventArrivedEventArgs e)
{
    ManagementBaseObject instance = (ManagementBaseObject)e.NewEvent["TargetInstance"];
    string processName = instance["Name"].ToString();
    int processId = Convert.ToInt32(instance["ProcessId"]);
    Console.WriteLine($"[{DateTime.Now}] 进程启动: {processName} (PID: {processId})");
}

private static void ProcessStopped(object sender, EventArrivedEventArgs e)
{
    ManagementBaseObject instance = (ManagementBaseObject)e.NewEvent["TargetInstance"];
    string processName = instance["Name"].ToString();
    int processId = Convert.ToInt32(instance["ProcessId"]);
    Console.WriteLine($"[{DateTime.Now}] 进程停止: {processName} (PID: {processId})");
}

2.监控单个指定的进程

notepad 举例

 // 创建进程启动事件查询 - 监控notepad进程创建
    WqlEventQuery startQuery = new WqlEventQuery(
        "__InstanceCreationEvent", new TimeSpan(0, 0, 1),
 "TargetInstance isa 'Win32_Process' AND TargetInstance.Name = 'notepad.exe'");

3.监控多个指定的进程

notepad chrome 举例

 // 创建进程启动事件查询 - 监控 notepad chrome 进程创建
    WqlEventQuery startQuery = new WqlEventQuery(
        "__InstanceCreationEvent", new TimeSpan(0, 0, 1),
 "TargetInstance isa 'Win32_Process' AND (TargetInstance.Name = 'notepad.exe' OR TargetInstance.Name = 'chrome.exe')");
posted @ 2025-09-21 17:31  daigao  阅读(40)  评论(0)    收藏  举报