Detecting application launch in C#

**Tin_Tin** · 09-08-2009, 02:34 PM

Does anybody have any idea on how can I detect when an application is being launched using C#?

**junkfactory** · 09-08-2009, 05:53 PM

Originally Posted by Tin_Tin

Does anybody have any idea on how can I detect when an application is being launched using C#?

IIRC, hook CreateProcess

**Tin_Tin** · 09-08-2009, 10:40 PM

Originally Posted by junkfactory

IIRC, hook CreateProcess

Can you please explain.

**xyberblue** · 09-08-2009, 11:02 PM

Originally Posted by Tin_Tin

Does anybody have any idea on how can I detect when an application is being launched using C#?

There's a kernel mode function for these.

PsSetCreateProcessNotifyRoutine() offers the ability to register system-wide callback function which is called by OS each time when a new process starts, exits or is terminated. The mentioned API can be employed as an easy to implement method for tracking down processes simply by implementing a NT kernel-mode driver and a user mode Win32 control application. The role of the driver is to detect process execution and notifiy the control program about these events.

Here's the link, all you have to do for your C# is to create a DLL wrapper for the DevIoCtrl function for your application.
Even though it is a simple solution but you need an application and a driver for this solution to work.
CodeProject: Detecting Windows NT/2K process execution. Free source code and programming help

**junkfactory** · 09-10-2009, 01:04 PM

Originally Posted by Tin_Tin

Can you please explain.

CreateProcess is called everytime the OS creates a new process. This includes running executable files.

The trick is to inject your DLL such that when CreateProcess is called by the OS, your function in the DLL will be called first instead of the original function. Google for CreateProcess API Hook

Another little hacky way of achieving what you need is to create a thread that will poll the system getting a list of process. Maintaining a list will allow you to keep track of new processes, once you have one, get the PID and from that you can get more information about the process. However, this is inefficient but in theory it might work depending on how deep your requirements are and is relatively simple.

**softtouch** · 09-10-2009, 01:13 PM

You need to hook NtCreateProcessA, NtCreateProcessW and WinExec if you need realtime monitoring with the possibility to intercept the execution of the process.

Polling only make sense when you do not intent to intercept the process execution.

I am doing a lot of hooking (for example in my File Guard, or Autorun protect), and its not that difficult.

**Tin_Tin** · 09-12-2009, 02:55 PM

Originally Posted by softtouch

You need to hook NtCreateProcessA, NtCreateProcessW and WinExec if you need realtime monitoring with the possibility to intercept the execution of the process.

Polling only make sense when you do not intent to intercept the process execution.

I am doing a lot of hooking (for example in my File Guard, or Autorun protect), and its not that difficult.

Can you point some online resources I can use, I really don't have any idea about hooking and all. What's the easiest and simplest way of doing this?

**softtouch** · 09-13-2009, 12:45 AM

I am not using C#, so i have no idea which would be the easiest way for you.

But, take a look at this, its C#: EasyHook - The reinvention of Windows API Hooking - Home

Thread: Detecting application launch in C#

Thread Tools

Search Thread