HOOK process creation

I need to hook process creation in win95/98/NT/XP.... I know I could have a thread which checks if a process is added say every 100ms, but this may take up valuable resource time and it's not too efficient (as a process may be created within that 100ms of sleep).


I know thet question as been already asked, but since not registered users have no access to previous asked questions...
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

well... this was the accepted answer for the same question, I quote Alexo

" First, look here:

There are some programs on SysInternals that use API hooking.  You can get sample source from:

More sample code is available from:

Some comments and pointers can be found here:
madCodeHook even contains a demo which does exactly what you're asking for - namely hooking process creation. See here:

documentation: http://help.madshi.net/madCodeHook.htm
demo download: http://madshi.net/MCHDemos.zip
full package download: http://madshi.net/madCollection.exe

madCodeHook is free for non-commercial purpose.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EKIMAuthor Commented:
Madshi : I went to your site on yesterday... and told my Boss to buy your libraries... But it seems to be very complex for me. Would you accept to build a little example for me (If my boss effectively bought your stuff off course) ?
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

EKIMAuthor Commented:
Black TigerX :
 - internals.com site : Proc SPy does not works on XP
 - SysInternals : the page cannot be found
 - Support microsoft : article not available
 - Deja.com : ?? the page is about health deseases ...

EKIM, just check out the demo "HookProcessCreation.dpr". It's really not that complicated.

For what purpose do you need to hook process creation btw? Do you just need to be notified about the creation of new processes? In that case there are other ways to solve the problem.
P.S: I don't have the time to write a custom demo for you, I'm sorry...
EKIMAuthor Commented:
Madshi : need no more custom demo  :-) I have modifyed the included demo 'HookProcessCreation' libraby...
And it begins to works  :-)))
Thanks a lot

Let me ask again:

For what purpose do you need to hook process creation btw? Do you just need to be notified about the creation of new processes? In that case there are other ways to solve the problem.
EKIMAuthor Commented:
Madshi : for some reasons we have to use firebird Classic server than super server. Classic server creates a process named 'fb_inet_server.exe'for each client connection. I 'hook' from the Database when a new user tries to connect, and save into a file the userNo.
If I can get the ProcessID of each 'fb_inet_server.exe' as soon as it is created, I can know witch user uses witch process.
I have to write an application that records UserNo / ProcessID.

With this tool, it will be easy for system administrator to 'kill' a user's connection  at its own convenience (ie if user's application chashes, or if he launch a too much long time query, or if the client loses his TCP/IP connection and so on...)

Ok, understood. But you can have it even easier than using HookProcessCreation.dpr!

Look: madCodeHook internally already hooks process creation. When a new process is created, madCodeHook automatically injects your dll into it. That means you can solve the problem by simply writing the processID and userNo into the file in the initialization section of your hook dll. You don't need to hook a single API yourself. Something like this:

library YourHookDll;

uses Windows, madStrings;

var str : string;
    fh : dword;
  str := IntToHexEx(GetCurrentProcessID) + #12#10;
  fh := CreateFile('c:\log.txt', GENERIC_WRITE, 0, ...);
  SetFilePosition(fh, 0, END_FILE);
  WriteFile(str[1], Length(str), ...);

That's it. You don't even need to add madCodeHook to the uses clause. One thing is important, though: If two processes get created at the same time, you need to synchronize access to the log file. Otherwise one process will be able to open the log file, while the other won't. Use CreateMutex(..., 'EkimsMutex') + WaitForSingleObject + ReleaseMutex to synchronize access to the log file.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.