我正在使用此代码来监控进程:
var startWatch = new ManagementEventWatcher(
"SELECT * FROM Win32_ProcessStartTrace");
startWatch.EventArrived += startWatch_EventArrived;
startWatch.Start();
var stopWatch = new ManagementEventWatcher(
"SELECT * FROM Win32_ProcessStopTrace");
stopWatch.EventArrived += stopWatch_EventArrived;
stopWatch.Start();
问题是 - 在两个回调中,ProcessName属性被截断为14个字符。
var name = e.NewEvent.Properties["ProcessName"].Value.ToString();
这两个进程(监视和监视)都是x64 .NET控制台应用程序。
任何人都知道可能是什么原因?
答案 0 :(得分:1)
改为使用__InstanceCreationEvent / __InstanceDeletionEvent
示例
var startWatch = new ManagementEventWatcher(
"SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'");
startWatch.EventArrived += startWatch_EventArrived;
startWatch.Start();
var stopWatch = new ManagementEventWatcher(
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'");
stopWatch.EventArrived += stopWatch_EventArrived;
stopWatch.Start();
事件示例
// e.NewEvent now have only 3 properties, we should focus on TargetInstance property
var targetInstance = (ManagementBaseObject) e.NewEvent["TargetInstance"];
// TargetInstance has more than 40 properties, some properties can be null
var name = targetInstance["Name"]?.ToString();
在带有System.Management NuGet软件包的.NET Core 3.1上进行了测试。
之前
// Win32_ProcessStartTrace
"League of Legends.exe"
// Win32_ProcessStopTrace
"League of Le" // How can this happen??? Like how???
之后
// __InstanceCreationEvent
"League of Legends.exe"
// __InstanceDeletionEvent
"League of Legends.exe"