Detecting When Processes Start on Windows to Check Legitimacy
It is useful to be able to monitor and detect when new processes start on Windows in real-time. This allows us to scan their memory or perform other checks to ensure they are legitimate or to identify potential malware.
The most straightforward method is to poll the list of running processes and identify new ones via the Windows API. The main drawback is its resource-intensive nature, as it continuously queries the system, which can impact performance.
Another approach on Windows is to subscribe to process creation events using Windows Management Instrumentation (WMI). This enables you to be notified by the system when a new process starts.
This approach also leverages the event-driven nature of the system, where your program is notified by Windows when a new process starts, reducing resource usage.
The easiest programming language to use for this task on Windows is C#, as the .NET Framework provides classes that simplify interaction with WMI.
using System;
using System.Management;
class ProcessMonitor
{
public static void Main()
{
string queryString = "SELECT * FROM Win32_ProcessStartTrace";
ManagementEventWatcher watcher = new ManagementEventWatcher(new WqlEventQuery(queryString));
watcher.EventArrived += new EventArrivedEventHandler(ProcessStarted);
watcher.Start();
Console.WriteLine("Listening for new processes. Press any key to exit.");
Console.ReadKey();
watcher.Stop();
}
private static void ProcessStarted(object sender, EventArrivedEventArgs e)
{
Console.WriteLine("Process started: " + e.NewEvent["ProcessName"]);
}
}
This code defines a WMI query to listen for Win32_ProcessStartTrace
events, which are triggered when a new process starts. It subscribes to the EventArrived
event of ManagementEventWatcher
to receive notifications when a new process begins. In the ProcessStarted
method, the event is handled, and the name of the process that started is output to the console.
Using this approach, we can detect in real-time when a new process has started and then extract the memory image, or parts of it, for analysis as needed.
To run the code example, you will need the appropriate administrative privileges, especially to access process information for system processes. Note, also this approach is specific to Windows and relies on the capabilities of the .NET Framework and WMI infrastructure.