{"id":66333,"date":"2006-10-04T18:34:00","date_gmt":"2006-10-04T18:34:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2006\/10\/04\/how-can-i-monitor-for-the-creation-of-different-processes\/"},"modified":"2006-10-04T18:34:00","modified_gmt":"2006-10-04T18:34:00","slug":"how-can-i-monitor-for-the-creation-of-different-processes","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-monitor-for-the-creation-of-different-processes\/","title":{"rendered":"How Can I Monitor for the Creation of Different Processes?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I use one script to monitor for the creation of four or five different processes?

— BC<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, BC. You know, it\u2019s too bad you didn\u2019t ask how you could monitor four or five TV shows<\/I> at the same time. Had you done that we would have had the perfect answer for you: get yourself a teenaged son. Although the Scripting Dad is rarely impressed by anyone or anything, he does<\/I> stand in awe of the Scripting Son\u2019s ability to watch two football games, Baseball Tonight<\/I>, one movie, and whatever happens to be on Cartoon Network, all at the same time and all without missing a beat. The Scripting Dad, meanwhile, finds himself totally lost within seconds. \u201cI thought Houston already played today,\u201d he\u2019ll say.<\/P>\n

\u201cUh, Dad, that\u2019s my video game.\u201d<\/P>\n

Oh. Right.<\/P>\n

There\u2019s no doubt that the Scripting Son \u2013 and his friends \u2013 possess an amazing talent; however, that probably won\u2019t help you much, BC. After all, monitoring multiple processes sounds an awful lot like work, a word you rarely see used in the same sentence as \u201cteenaged son.\u201d That means you\u2019ll have to make do with a script similar to this one:<\/P>

arrProcesses = Array(“freecell.exe”,”sol.exe”,”spider.exe”,”winmine.exe”)<\/p>\n
strComputer = “.”<\/p>\n
Set objWMIService = GetObject(“winmgmts:\\\\” & strComputer & “\\root\\cimv2”)<\/p>\n
i = 0<\/p>\n
Set colMonitoredProcesses = objWMIService. ExecNotificationQuery _        \n    (“Select * From __InstanceCreationEvent Within 5 Where TargetInstance ISA ‘Win32_Process'”)<\/p>\n
Do While i = 0\n    Set objLatestProcess = colMonitoredProcesses.NextEvent\n    strProcess = LCase(objLatestProcess.TargetInstance.Name)<\/p>\n
    For Each strName in arrProcesses\n        If strName = strProcess Then\n            Wscript.Echo strName & ” has started.”\n        End If\n    Next\nLoop\n<\/PRE>\n
Before we talk about the script we should note that there were a couple different ways we could have attacked this problem. Our original thought was to write a complicated event query that would retrieve information for a only a specific set of processes. That sounded an awful lot like work, however, a word you rarely see used in the same sentence as \u201cthe Scripting Guy who writes this column.\u201d Because of that, we opted for a much simpler approach: we get information about all <\/I>the processes, then check each to see if the process is in our target list. It might not be as elegant, but it\u2019s much easier and \u2013 because you have relatively few processes running on a computer \u2013 is nice and fast as well.<\/P>\n
As for the script itself, it starts out by defining an array named arrProcesses and then adding four items to that array:<\/P>
arrProcesses = Array(“freecell.exe”,”sol.exe”,”spider.exe”,”winmine.exe”)\n<\/PRE>\n
And yes, those are the four processes we\u2019re interested in.<\/P>\n
With the array defined we connect to the WMI service on the local computer (although this script can also run against remote computers) and then assign the value 0 to a counter variable named i<\/I>. That brings us to our event query:<\/P>
Set colMonitoredProcesses = objWMIService. ExecNotificationQuery _        \n    (“Select * From __InstanceCreationEvent Within 5 Where TargetInstance ISA ‘Win32_Process'”)\n<\/PRE>\n
What we\u2019re doing here is asking WMI to stop every 5 seconds (that\u2019s what the Within 5<\/B> is for) and see if there are any new instances of the __InstanceCreationEvent <\/B>class; new instances of this class are automatically created any time a new something \u2013 a process, a service, an event log entry, anything WMI knows about \u2013 is created. Of course, we aren\u2019t interested in new services or new event log entries; the only thing we care about are new processes. That\u2019s why we tack on the Where clause that limits returned data to instances of the Win32_Process<\/B> class. <\/P>\n\n<\/THEAD>\n\n\n
\n
Note<\/B>. Yes, we know: if you\u2019re new to WMI events that\u2019s a very cursory explanation. But don\u2019t worry; you can always take a look at the Scripting Week 2 webcast An Ounce of Prevention: An Introduction to WMI Events<\/B><\/A> if you need more information about writing WMI event scripts.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n
<\/DIV>\n
After issuing our query we next set up a Do While loop that\u2019s designed to run until the variable i<\/I> is equal to 1. Of course, we\u2019ve designed the script so that i<\/I> will never<\/I> be equal to 1; that way the script will run forever and ever, or at least until you shut down the computer or kill the script process. We do that so that you can be notified any<\/I> time one of the target processes is created.<\/P>\n\n<\/THEAD>\n\n\n
\n
Note<\/B>. Because the script is designed to run forever you might want to run the this baby in a command window under the CScript script host; that way you can stop the script simply by closing said command window. The script will<\/I> run under WScript, but you\u2019ll then have to use something like Task Manager to terminate the script.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n
<\/DIV>\n
So what happens inside the Do loop? We had a feeling you\u2019d ask that. The very first thing we do inside that loop is execute the following line of code:<\/P>
Set objLatestProcess = colMonitoredProcesses.NextEvent\n<\/PRE>\n
What happens here is that the script stops dead in its tracks: it sits there, patiently, and waits for the next event to occur; that is, the script waits for the next member of the __InstanceCreationEvent class to be created (provided, of course, that the item triggering the instance creation happens to be a process). If no new processes are ever created then the script will simply sit there forever and ever.<\/P>\n
Of course, sooner or later a new process is bound to be created. When this happens we take the name of the new process, convert it to all lowercase letters (to make sure we don\u2019t run into problems comparing uppercase letters and lowercase letters), and then store the value in a variable named strProcess:<\/P>
strProcess = LCase(objLatestProcess.TargetInstance.Name)\n<\/PRE>\n
Once that\u2019s done our next task is to determine whether or not this new process happens to be one of our four target processes, the group of processes we stored in the array arrProcesses. A very easy way to do that is to simply loop through the items in the array and determine whether or not the names of any of those array items happen to match the name of the new process. In fact, that\u2019s what we do here:<\/P>
For Each strName in arrProcesses\n    If strName = strProcess Then\n        Wscript.Echo strName & ” has started.”\n    End If\nNext\n<\/PRE>\n
As you can see, this code is about as simple as it gets. All we do is determine whether the first name in the array happens to match the name of the new process (strProcess). If we have a match then we echo the name of the process and the fact that this process has just started. If we don\u2019t have a match we loop around and check the next name in the array. After we\u2019ve checked all four names we then zip back to the beginning of the loop and then wait for the next __InstanceCreationEvent to occur. <\/P>\n
That should do it, BC. Like we said, there might be more elegant ways to do this, but, then again, elegance is also a word you rarely see used in the same sentence as \u201cthe Scripting Guy who writes this column.\u201d In addition, this monitoring solution should work under any and all conditions, something which isn\u2019t true of the Scripting Son. A week or so ago the batteries in the remote control called it quits, and the Scripting Son was in a panic. \u201cCan\u2019t you go to the store and get some batteries?\u201d he asked. \u201cHow am I supposed to watch TV?\u201d<\/P>\n
\u201cCan\u2019t you just get up off the davenport and change the channel by hand?\u201d asked the Scripting Dad.<\/P>\n
At that point all it took was one look at the Scripting Son\u2019s face for the Scripting Dad to know what had to be done: he went and got new batteries right away. No sense tempting fate, if you know what we mean.<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I use one script to monitor for the creation of four or five different processes?— BC Hey, BC. You know, it\u2019s too bad you didn\u2019t ask how you could monitor four or five TV shows at the same time. Had you done that we would have had the perfect answer […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[42,3,4,5,6],"class_list":["post-66333","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-events-and-monitoring","tag-scripting-guy","tag-scripting-techniques","tag-vbscript","tag-wmi"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I use one script to monitor for the creation of four or five different processes?— BC Hey, BC. You know, it\u2019s too bad you didn\u2019t ask how you could monitor four or five TV shows at the same time. Had you done that we would have had the perfect answer […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/66333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=66333"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/66333\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=66333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=66333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=66333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}