I’m working on a class that monitors when processes on a machine start up and stop. The easiest way to do this is to use WMI with the Win32_ProcessStartTrace and Win32_ProcessStopTrace classes. I wrote a small class to test this out to make sure it meets my needs. Here is the code I’m using for my ProcessWatcher class:

using System;
using System.Management;

namespace ProcessWatcherTest
{
    class ProcessWatcher
    {
        private ManagementEventWatcher processStartWatcher;
        private ManagementEventWatcher processStopWatcher;

        public void StartMonitoring(string serverName)
        {
            string startQuery = "SELECT * FROM Win32_ProcessStartTrace";
            string stopQuery = "SELECT * FROM Win32_ProcessStopTrace";
            string managementPath = string.Format(@"{0}rootcimv2", serverName);

            processStartWatcher = new ManagementEventWatcher(new WqlEventQuery(startQuery));
            processStopWatcher = new ManagementEventWatcher(new WqlEventQuery(stopQuery));
            ManagementScope scope = new ManagementScope(managementPath);
            scope.Connect();
            processStartWatcher.Scope = scope;
            processStopWatcher.Scope = scope;

            processStartWatcher.EventArrived += processStartWatcher_EventArrived;
            processStopWatcher.EventArrived += processStopWatcher_EventArrived;

            processStartWatcher.Start();
            processStopWatcher.Start();
        }

        public void StopMonitoring()
        {
            processStartWatcher.EventArrived -= processStartWatcher_EventArrived;
            processStopWatcher.EventArrived -= processStopWatcher_EventArrived;

            processStartWatcher.Stop();
            processStopWatcher.Stop();
        }

        void processStartWatcher_EventArrived(object sender, EventArrivedEventArgs e)
        {
            var o = e.NewEvent.Properties["ProcessName"];
            Console.WriteLine("Got Start: {0}", o.Value);
        }

        void processStopWatcher_EventArrived(object sender, EventArrivedEventArgs e)
        {
            var o = e.NewEvent.Properties["ProcessName"];
            Console.WriteLine("Got Stop: {0}", o.Value);
        }
    }
}

What I like about using WMI instead of polling the process list is that we can use events to get notified. This lets us hook into this class to allow for a more flexible design. For this test class, we’re simply writing out the name of the process to the console.

My development machine is running Windows Server 2008 R2 x64. When I ran my test app watching for local processes, it worked great! The console was listing all processes as they start and stop. Then I noticed something strange for the process stop message:

Process Name Truncation Example

Processes with names longer than 15 characters (including the extension) are getting truncated! I did some searches on the web, and didn’t find anything about this. Curious to see if this is only something on my machine, I copied the app over to a Windows Server 2003 x86 server I have running and got the following results:

Process Name Not Truncation

And sure enough, the full process name is displayed. So now I copied the app over to a machine running Windows Server 2008 x64 that runs one of our domain controllers. The process name was truncated again. So what does it mean?

I tested this on a few other Windows Server 2008 machines. They all showed the same truncation. I haven’t been able to test this on a 32bit Windows Server 2008 box yet. I also haven’t tested this on any 64bit Windows Server 2003 boxes yet either. That means either this is a 64bit bug, or a Windows Server 2008 (& R2) bug. If I get some time, I’ll create VMs of the two other test cases and see what the results are.