Process creation notification without kernel hook

Hi,

I need a user mode app to receive notifications when a new process is created. It will run on XP and on our kit (win CE) so kernel hooking is out, for the time being at least. It would also be particularly poor to periodically query the process list.

I don't need a hook, just a notification. Is there no way of doing this in Windows?
Cheers in advance
LVL 1
rich3051Asked:
Who is Participating?
 
jkrConnect With a Mentor Commented:
Another option - use 'PspCreateProcessNotifyRoutine()' (http://www.osronline.com/DDKx/kmarch/k108_5lwy.htm) as described in http://www.codeproject.com/threads/procmon.asp ("
Detecting Windows NT/2K process execution")
0
 
Jase-CoderCommented:
The only way to do this is to create a hook or poll the process list from time to time because as far as I know hooking is the only method for intercepting other application messages.
0
 
itsmeandnobodyelseCommented:
>>>>  or poll the process list from time to time
You would retrieve the list by EnumProcesses. If only GUI processes were needed to detect you may do a EnumWindows on top level windows. If doing that any second you'll have not harm the system overall performance.

To find out which windows (processes) were added or removed, put the handles into arrays, and sort them. Then you can easily get the wished information.

Regards, Alex
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
jasonclarkeCommented:
I think you could use the WMI ManagementEventWatcher interface for detecting process starts - but as far as I know this doesn't work on WinCE either?
0
 
jkrCommented:
Apart from WMI, a nice and elegant way to do that is to place a small DLL "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs" (see also http://support.microsoft.com/kb/197571 - "Working with the AppInit_DLLs registry value", http://msdn2.microsoft.com/en-us/library/ms942860.aspx for CE). DLLs listed there will be loaded into every newly created process and will allow you to perform any notification via the DLL's 'DllMain()', e.g. just like

BOOL
WINAPI
DllMain ( HINSTANCE hInst, DWORD dwReason, LPVOID) {

    TCHAR acModule[MAX_PATH];

    switch (dwReason) {
 
        //
        // The DLL is loading due to process
        // initialization or a call to LoadLibrary.
        //
 
        case DLL_PROCESS_ATTACH:

            OutputDebugString("DllMain(): DLL_PROCESS_ATTACH\n");

            GetModuleFileName(NULL,acModule,MAX_PATH);

            NotifyProcessStart(acModule); // provide an implementation

            break;

 
        case DLL_PROCESS_DETACH:
 
            OutputDebugString("DllMain(): DLL_PROCESS_DETACH\n");

            GetModuleFileName(NULL,acModule,MAX_PATH);

            NotifyProcessEnd(acModule); // provide an implementation

            break;
 
        default:
            break;
    }
 
    return TRUE;
}  
0
 
itsmeandnobodyelseCommented:
>>>>  to place a small DLL at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs"

Isn't that actually a *hook* ?

I don't wonder that viruses and worms easily can hijack any priviliged account if processes can be hooked without a way to defense ...

Regards, Alex
0
 
jkrCommented:
>>Isn't that actually a *hook* ?

No. That's something completely different. And kernel hooking is even more different.
0
 
itsmeandnobodyelseCommented:
>>>> No. That's something completely different.
But the dll added at AppInit_DLLs would run within the context of the calling application. Where is the difference to a hook?

>>>> I don't need a hook, just a notification.
That is the requirement of the questioner. The reason for it maybe is that his program not necessarily has admin rights at the target system. To  AppInit_DLLs in the registry can only be updated when having admin rights which needs to be granted at least at installation time.

Regards, Alex
0
 
jkrCommented:
Sorry, but I am not inclined to get off topic here - which that discussion IMHO would be.
0
 
itsmeandnobodyelseCommented:
>>>> off topic here - which that discussion IMHO would be.
maybe you should omit the 'H'. There is nothing 'humble/honest' with that comment.

>>>> I don't need a hook, just a notification
Rich, if you need a notification you should use any of  the proposed 'notification' solutions, though some of them may need administrator rights as well, at least at installation time. If you want to go without you may compare the list of processes or top level windows though it is the most work to do.

Regards, Alex
0
 
Adrien de CroyCommented:
"hooking" is a very specific method of intercepting things.  In the end, it implies that instead of some function call being provided by the normal provider, it is provided or intercepted or filtered by your function.  so

* getting a DLL to load is not hooking.
* DLL injection is not hooking either

Hooking is when you

* Call a hook api to install a filter function
* intercept registration of a function API and change the pointers to point to your own function
* trojan thunk a service API entry point in a module
* swap out entries in the kernel service descriptor table (SDT)
* etc.

AFAIK, the only ways to register for or obtain notifications of process initialisation will require admin rights.

I think depending on OS, the best one may be a call to PsSetCreateProcessNotifyRoutine()
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.