Which application started another
CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 8 of 8

Thread: Which application started another

  1. #1
    Join Date
    May 2002
    Location
    Germany
    Posts
    446

    Which application started another

    Is there any way to instruct Windows 7 to log what process/application starts another process/application? I guess there is just I don't know how to do it

    Ideas please

  2. #2
    Join Date
    Jan 2006
    Location
    Chicago, IL
    Posts
    15,002

    Re: Which application started another

    Process Explorer, or Systernals, which have tools
    David

    CodeGuru Article: Bound Controls are Evil-VB6
    2013 Samples: MS CODE Samples

    CodeGuru Reviewer
    2006 Dell CSP
    2006, 2007 & 2008 MVP Visual Basic
    If your question has been answered satisfactorily, and it has been helpful, then, please, Rate this Post!

  3. #3
    Join Date
    May 2002
    Location
    Germany
    Posts
    446

    Re: Which application started another

    That works as long as the parent process is known and existing. Now imagine sysinternals showing "Not found" where the parent should be. What to do then?

  4. #4
    VictorN's Avatar
    VictorN is offline Super Moderator Power Poster
    Join Date
    Jan 2003
    Location
    Wallisellen (ZH), Switzerland
    Posts
    17,605

    Re: Which application started another

    Quote Originally Posted by luftwaffe View Post
    That works as long as the parent process is known and existing. Now imagine sysinternals showing "Not found" where the parent should be. What to do then?
    Then you should accept that "the parent process is not known or not existing"!
    Victor Nijegorodov

  5. #5
    Join Date
    May 2002
    Location
    Germany
    Posts
    446

    Re: Which application started another

    No. As a matter of fact, it was started somehow. I would like to know how or by whom. It does not sound like a big trick, or do programs just appear and disappear out of the blue? I don't think so.

  6. #6
    Join Date
    Dec 2012
    Location
    England
    Posts
    2,847

    Re: Which application started another

    No, programs do not just appear out of the blue - but that does not mean that info is always available about a process's parent process. A process holds info about it's parent as an identifier - the parent process identifier. To get further info about this process it needs to be still available so that further info can be obtained - such as the name of the process executable file. If the parent process is not available then this additional info may not be able to be obtained.

    If you want to be able to log always process hierarchies then you may need to write your own program. Note that there is no easy method of obtaining info about processes - or of getting a trigger event if a process is created or destroyed. You take a snapshot of all processes running at a particular instance and this snapshot provides some info. You process this info as needed and then take another snapshot and process etc. A snapshot is exactly that - a snapshot of the running processes at a particular instance; it is not real-time info.

    For more info see http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx and its links which include a link to a sample program to obtain process info.
    All advice is offered in good faith only. You are ultimately responsible for effects of your programs and the integrity of the machines they run on.

  7. #7
    Arjay's Avatar
    Arjay is offline Moderator / MS MVP Power Poster
    Join Date
    Aug 2004
    Posts
    11,479

    Re: Which application started another

    Quote Originally Posted by luftwaffe View Post
    No. As a matter of fact, it was started somehow. I would like to know how or by whom. It does not sound like a big trick, or do programs just appear and disappear out of the blue? I don't think so.
    It might not sound like a big trick, but if the OS doesn't keep an audit trail of that information (or expose the audit trail), you are out of luck. In that case, the best you can do is hook into new process creation and store your own audit records and hierarchy. Of course, you'll have to keep in mind that process id's get reused so you'll need to be careful about not creating invalid hierarchies with reused pids.

  8. #8
    Join Date
    Dec 2012
    Location
    England
    Posts
    2,847

    Re: Which application started another

    You may find this article of interest - particularly using wmi to track process creation.
    https://social.msdn.microsoft.com/Fo...orum=vcgeneral

    For info about wmi see http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx and subsequent links. wmi uses COM so a knowledge of com programming is helpful to use wmi.
    All advice is offered in good faith only. You are ultimately responsible for effects of your programs and the integrity of the machines they run on.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Windows Mobile Development Center


Click Here to Expand Forum to Full Width

This is a CodeGuru survey question.


Featured


HTML5 Development Center