CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 8 of 8
  1. #1
    Join Date
    May 2002
    Location
    Germany
    Posts
    451

    Which application started another

    Is there any way to instruct Windows 7 to log what process/application starts another process/application? I guess there is just I don't know how to do it

    Ideas please

  2. #2
    Join Date
    Jan 2006
    Location
    Fox Lake, IL
    Posts
    15,007

    Re: Which application started another

    Process Explorer, or Systernals, which have tools
    David

    CodeGuru Article: Bound Controls are Evil-VB6
    2013 Samples: MS CODE Samples

    CodeGuru Reviewer
    2006 Dell CSP
    2006, 2007 & 2008 MVP Visual Basic
    If your question has been answered satisfactorily, and it has been helpful, then, please, Rate this Post!

  3. #3
    Join Date
    May 2002
    Location
    Germany
    Posts
    451

    Re: Which application started another

    That works as long as the parent process is known and existing. Now imagine sysinternals showing "Not found" where the parent should be. What to do then?

  4. #4
    VictorN's Avatar
    VictorN is offline Super Moderator Power Poster
    Join Date
    Jan 2003
    Location
    Hanover Germany
    Posts
    20,396

    Re: Which application started another

    Quote Originally Posted by luftwaffe View Post
    That works as long as the parent process is known and existing. Now imagine sysinternals showing "Not found" where the parent should be. What to do then?
    Then you should accept that "the parent process is not known or not existing"!
    Victor Nijegorodov

  5. #5
    Join Date
    May 2002
    Location
    Germany
    Posts
    451

    Re: Which application started another

    No. As a matter of fact, it was started somehow. I would like to know how or by whom. It does not sound like a big trick, or do programs just appear and disappear out of the blue? I don't think so.

  6. #6
    2kaud's Avatar
    2kaud is online now Super Moderator Power Poster
    Join Date
    Dec 2012
    Location
    England
    Posts
    7,822

    Re: Which application started another

    No, programs do not just appear out of the blue - but that does not mean that info is always available about a process's parent process. A process holds info about it's parent as an identifier - the parent process identifier. To get further info about this process it needs to be still available so that further info can be obtained - such as the name of the process executable file. If the parent process is not available then this additional info may not be able to be obtained.

    If you want to be able to log always process hierarchies then you may need to write your own program. Note that there is no easy method of obtaining info about processes - or of getting a trigger event if a process is created or destroyed. You take a snapshot of all processes running at a particular instance and this snapshot provides some info. You process this info as needed and then take another snapshot and process etc. A snapshot is exactly that - a snapshot of the running processes at a particular instance; it is not real-time info.

    For more info see http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx and its links which include a link to a sample program to obtain process info.
    All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!

    C++23 Compiler: Microsoft VS2022 (17.6.5)

  7. #7
    Arjay's Avatar
    Arjay is offline Moderator / EX MS MVP Power Poster
    Join Date
    Aug 2004
    Posts
    13,490

    Re: Which application started another

    Quote Originally Posted by luftwaffe View Post
    No. As a matter of fact, it was started somehow. I would like to know how or by whom. It does not sound like a big trick, or do programs just appear and disappear out of the blue? I don't think so.
    It might not sound like a big trick, but if the OS doesn't keep an audit trail of that information (or expose the audit trail), you are out of luck. In that case, the best you can do is hook into new process creation and store your own audit records and hierarchy. Of course, you'll have to keep in mind that process id's get reused so you'll need to be careful about not creating invalid hierarchies with reused pids.

  8. #8
    2kaud's Avatar
    2kaud is online now Super Moderator Power Poster
    Join Date
    Dec 2012
    Location
    England
    Posts
    7,822

    Re: Which application started another

    You may find this article of interest - particularly using wmi to track process creation.
    https://social.msdn.microsoft.com/Fo...orum=vcgeneral

    For info about wmi see http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx and subsequent links. wmi uses COM so a knowledge of com programming is helpful to use wmi.
    All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!

    C++23 Compiler: Microsoft VS2022 (17.6.5)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  





Click Here to Expand Forum to Full Width

Featured