Tried to reply this post from Lexikos:
viewtopic.php?t=18348
But i didn't understand how to write it:
Code: Select all
Class MyClass {
ProcessCreate_OnObjectReady(obj){
; https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-process?redirectedfrom=MSDN
proc := obj.TargetInstance
Id := proc.ProcessId
Parent := proc.ParentProcessID
Name := proc.Name
Path := proc.ExecutablePath
CommandLine := proc.CommandLine
FileAppend, ===========`n,*
FileAppend, CREATED `n,*
FileAppend, ===========`n,*
FileAppend, Name: %Name%`nPid: %Id% Parent: %Parent%`n,*
FileAppend, Path: %Path%`n,*
FileAppend, CommandLine: %CommandLine%`n`n,*
/*
TrayTip New Process Detected, % "
(LTrim
ID:`t" proc.ProcessID "
Parent:`t" proc.ParentProcessID "
Name:`t" proc.Name "
Path:`t" proc.ExecutablePath "
Command line (requires XP or later):
" proc.CommandLine
)
*/
}
}
ProcessWatcher() {
; Get WMI service object.
winmgmts := ComObjGet("winmgmts:")
; Create sink objects for receiving event noficiations.
;ComObjConnect(createSink := ComObjCreate("WbemScripting.SWbemSink"), "ProcessCreate_")
(New MyClass).ProcessCreate_(createSink := ComObjCreate("WbemScripting.SWbemSink"))
ComObjConnect(deleteSink := ComObjCreate("WbemScripting.SWbemSink"), "ProcessDelete_")
interval := 2
; Register for process creation notifications:
winmgmts.ExecNotificationQueryAsync(createSink
, "Select * from __InstanceCreationEvent"
. " within " interval
. " where TargetInstance isa 'Win32_Process'")
}