strictlymike/ptray2.cs

## ptray2.cs
using System;
using System.Diagnostics;
using System.Drawing;
using System.Management;
using System.Text.RegularExpressions;
using System.Windows.Forms;

namespace MyTrayApp
{
	public class SysTrayApp : Form
	{

		[STAThread]
		public static void Main()
		{
			SysTrayApp app = new SysTrayApp();

			// NEED to modify registry:
			// http://stackoverflow.com/questions/2382896/how-to-collect-the-new-applications-and-services-logs-found-on-windows-7-or-wi
			ManagementEventWatcher startWatch = new ManagementEventWatcher(
					new WqlEventQuery("SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.SourceName = 'Microsoft-Windows-Sysmon' AND TargetInstance.EventIdentifier = '1'"));
			startWatch.EventArrived += new EventArrivedEventHandler(app.NotifyProcessStart);
			startWatch.Start();

			Application.Run(app);
		}

		private NotifyIcon  trayIcon;
		private ContextMenu trayMenu;
		private string lastMessage = null;

		public void NotifyProcessStart(object sender, EventArrivedEventArgs e)
		{
			string systray_msg = "(Error - Unknown)";
			string imgname;
			string pid;
			string cmdline;
			string pat = @"ProcessId: ([^\n]+)\s+Image: ([^\n]+)\s+CommandLine: ([^\n]+)\s+CurrentDirectory:";
			Regex re = new Regex(pat, RegexOptions.Compiled);
			const int timeout = 8;
			try {
				ManagementBaseObject targ = (ManagementBaseObject)e.NewEvent.Properties["TargetInstance"].Value;
				string message = (string)targ.Properties["Message"].Value;
				Match m = re.Match(message);
				if (m.Success) {
					pid = m.Groups[1].Value.TrimEnd('\r','\n');
					imgname = m.Groups[2].Value.TrimEnd('\r','\n');
					cmdline = m.Groups[3].Value.TrimEnd('\r','\n');

					Console.WriteLine("-------------------------------------------------------------------------------");
					Console.WriteLine("New process:\n{0}\n", message);

					systray_msg = imgname + " (" + pid + " - " + cmdline + ")";
				}
			} catch (Exception ex) {
				Console.WriteLine("New process");
				systray_msg = "(Error - " + ex.Message + ")";
			}

			trayIcon.ShowBalloonTip(
				timeout,
				"New Process",
				systray_msg + ((null != lastMessage)? " - previously: " + lastMessage: ""),
				ToolTipIcon.Info
			   );

			lastMessage = systray_msg;
		}

		public SysTrayApp()
		{
			trayMenu = new ContextMenu();
			trayMenu.MenuItems.Add("Exit", OnExit);

			trayIcon      = new NotifyIcon();
			trayIcon.Text = "ptray";
			trayIcon.Icon = new Icon(SystemIcons.Application, 40, 40);

			trayIcon.ContextMenu = trayMenu;
			trayIcon.Visible     = true;
		}

		protected override void OnLoad(EventArgs e)
		{
			Visible       = false;
			ShowInTaskbar = false;
			base.OnLoad(e);
		}

		private void OnExit(object sender, EventArgs e)
		{
			Application.Exit();
		}

		protected override void Dispose(bool isDisposing)
		{
			if (isDisposing) { trayIcon.Dispose(); }
			base.Dispose(isDisposing);
		}
	}
}
	using System;
	using System.Diagnostics;
	using System.Drawing;
	using System.Management;
	using System.Text.RegularExpressions;
	using System.Windows.Forms;

	namespace MyTrayApp
	{
	public class SysTrayApp : Form
	{

	[STAThread]
	public static void Main()
	{
	SysTrayApp app = new SysTrayApp();

	// NEED to modify registry:
	// http://stackoverflow.com/questions/2382896/how-to-collect-the-new-applications-and-services-logs-found-on-windows-7-or-wi
	ManagementEventWatcher startWatch = new ManagementEventWatcher(
	new WqlEventQuery("SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.SourceName = 'Microsoft-Windows-Sysmon' AND TargetInstance.EventIdentifier = '1'"));
	startWatch.EventArrived += new EventArrivedEventHandler(app.NotifyProcessStart);
	startWatch.Start();

	Application.Run(app);
	}

	private NotifyIcon trayIcon;
	private ContextMenu trayMenu;
	private string lastMessage = null;

	public void NotifyProcessStart(object sender, EventArrivedEventArgs e)
	{
	string systray_msg = "(Error - Unknown)";
	string imgname;
	string pid;
	string cmdline;
	string pat = @"ProcessId: ([^\n]+)\s+Image: ([^\n]+)\s+CommandLine: ([^\n]+)\s+CurrentDirectory:";
	Regex re = new Regex(pat, RegexOptions.Compiled);
	const int timeout = 8;
	try {
	ManagementBaseObject targ = (ManagementBaseObject)e.NewEvent.Properties["TargetInstance"].Value;
	string message = (string)targ.Properties["Message"].Value;
	Match m = re.Match(message);
	if (m.Success) {
	pid = m.Groups[1].Value.TrimEnd('\r','\n');
	imgname = m.Groups[2].Value.TrimEnd('\r','\n');
	cmdline = m.Groups[3].Value.TrimEnd('\r','\n');

	Console.WriteLine("-------------------------------------------------------------------------------");
	Console.WriteLine("New process:\n{0}\n", message);

	systray_msg = imgname + " (" + pid + " - " + cmdline + ")";
	}
	} catch (Exception ex) {
	Console.WriteLine("New process");
	systray_msg = "(Error - " + ex.Message + ")";
	}

	trayIcon.ShowBalloonTip(
	timeout,
	"New Process",
	systray_msg + ((null != lastMessage)? " - previously: " + lastMessage: ""),
	ToolTipIcon.Info
	);

	lastMessage = systray_msg;
	}

	public SysTrayApp()
	{
	trayMenu = new ContextMenu();
	trayMenu.MenuItems.Add("Exit", OnExit);

	trayIcon = new NotifyIcon();
	trayIcon.Text = "ptray";
	trayIcon.Icon = new Icon(SystemIcons.Application, 40, 40);

	trayIcon.ContextMenu = trayMenu;
	trayIcon.Visible = true;
	}

	protected override void OnLoad(EventArgs e)
	{
	Visible = false;
	ShowInTaskbar = false;
	base.OnLoad(e);
	}

	private void OnExit(object sender, EventArgs e)
	{
	Application.Exit();
	}

	protected override void Dispose(bool isDisposing)
	{
	if (isDisposing) { trayIcon.Dispose(); }
	base.Dispose(isDisposing);
	}
	}
	}