Win32_ProcessStartTrace 查询中的进程名称被截断
Truncated ProcessName in Win32_ProcessStartTrace query
我正在使用此代码来监视进程:
var startWatch = new ManagementEventWatcher(
"SELECT * FROM Win32_ProcessStartTrace");
startWatch.EventArrived += startWatch_EventArrived;
startWatch.Start();
var stopWatch = new ManagementEventWatcher(
"SELECT * FROM Win32_ProcessStopTrace");
stopWatch.EventArrived += stopWatch_EventArrived;
stopWatch.Start();
问题是 - ProcessName 属性 在两个回调中都被截断为 14 个字符。
var name = e.NewEvent.Properties["ProcessName"].Value.ToString();
两个进程(monitor 和 monitored)都是 x64 .NET 控制台应用程序。
有人知道可能是什么原因吗?
改用__InstanceCreationEvent/__InstanceDeletionEvent
示例
var startWatch = new ManagementEventWatcher(
"SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'");
startWatch.EventArrived += startWatch_EventArrived;
startWatch.Start();
var stopWatch = new ManagementEventWatcher(
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'");
stopWatch.EventArrived += stopWatch_EventArrived;
stopWatch.Start();
事件示例
// e.NewEvent now have only 3 properties, we should focus on TargetInstance property
var targetInstance = (ManagementBaseObject) e.NewEvent["TargetInstance"];
// TargetInstance has more than 40 properties, some properties can be null
var name = targetInstance["Name"]?.ToString();
使用 System.Management NuGet 包在 .NET Core 3.1 上测试。
之前
// Win32_ProcessStartTrace
"League of Legends.exe"
// Win32_ProcessStopTrace
"League of Le" // How can this happen??? Like how???
之后
// __InstanceCreationEvent
"League of Legends.exe"
// __InstanceDeletionEvent
"League of Legends.exe"
我正在使用此代码来监视进程:
var startWatch = new ManagementEventWatcher(
"SELECT * FROM Win32_ProcessStartTrace");
startWatch.EventArrived += startWatch_EventArrived;
startWatch.Start();
var stopWatch = new ManagementEventWatcher(
"SELECT * FROM Win32_ProcessStopTrace");
stopWatch.EventArrived += stopWatch_EventArrived;
stopWatch.Start();
问题是 - ProcessName 属性 在两个回调中都被截断为 14 个字符。
var name = e.NewEvent.Properties["ProcessName"].Value.ToString();
两个进程(monitor 和 monitored)都是 x64 .NET 控制台应用程序。
有人知道可能是什么原因吗?
改用__InstanceCreationEvent/__InstanceDeletionEvent
示例
var startWatch = new ManagementEventWatcher(
"SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'");
startWatch.EventArrived += startWatch_EventArrived;
startWatch.Start();
var stopWatch = new ManagementEventWatcher(
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'");
stopWatch.EventArrived += stopWatch_EventArrived;
stopWatch.Start();
事件示例
// e.NewEvent now have only 3 properties, we should focus on TargetInstance property
var targetInstance = (ManagementBaseObject) e.NewEvent["TargetInstance"];
// TargetInstance has more than 40 properties, some properties can be null
var name = targetInstance["Name"]?.ToString();
使用 System.Management NuGet 包在 .NET Core 3.1 上测试。
之前
// Win32_ProcessStartTrace
"League of Legends.exe"
// Win32_ProcessStopTrace
"League of Le" // How can this happen??? Like how???
之后
// __InstanceCreationEvent
"League of Legends.exe"
// __InstanceDeletionEvent
"League of Legends.exe"