Windows: Tracking process launches and ends

This post was written by eli on April 16, 2012
Posted Under: Microsoft

I’m sure there’s a saner way to do this than the Perl script below, but jotting it down was so easy, that it wasn’t worth looking for another tool to do it.

The idea is the simplest ever: Grab the list of processes 10 times a second or so, and write a line to standard output when a change is detected. If a process lives longer than ~100 ms, it’s caught.

The correct way to do this would be to use some kind of hook of the Windows operating system. Or more precisely, look for a program that already does that. And then hope that program isn’t some kind of spyware.

So here’s the script. You may need to install Win32::Process::List from somewhere, assuming you have Perl on board anyhow.

Perl code:

#!/usr/bin/perl

use strict;
use warnings;
use Win32::Process::List;

my %old = ();

while (1) { 
  my $P = Win32::Process::List->new();  # constructor

  select(undef, undef, undef, 0.1);

  my $now = scalar localtime time();

  my %list = $P->GetProcesses();

  %old = %list
    unless (%old);

  my %left = %old;

  foreach my $key ( keys %list ) {
    print "START $now: PID $key, $list{$key}\n"
      if (not defined $old{$key});

   delete $left{$key};
  }

  foreach my $key ( keys %left ) {
    print "STOP  $now: PID $key, $left{$key}\n";
  }
  %old = %list;
}

This is what the output can look like (screensaver, then FacebookUpdate and then what happens when I open a new window on Firefox).

> perl processtrace.pl
START Mon Apr 16 22:04:07 2012: PID 1380, sstext3d.scr
STOP  Mon Apr 16 22:04:50 2012: PID 1380, sstext3d.scr
START Mon Apr 16 22:27:00 2012: PID 2144, FacebookUpdate.
STOP  Mon Apr 16 22:27:03 2012: PID 2144, FacebookUpdate.
START Mon Apr 16 22:28:05 2012: PID 2268, jqsnotify.exe
STOP  Mon Apr 16 22:28:07 2012: PID 2268, jqsnotify.exe

 

Add a Comment

required, use real name
required, will not be published
optional, your blog address

Next Post:
Previose Post: