Win32_ProcessStopTrace Truncation Follow-up

Yesterday I wrote about a bug I discovered when using WMI to monitor process start ups and terminations. The bug is that the ProcessName property is truncated to 15 characters with the Win32_ProcessStopTrace object.

Two test scenarios I still needed were on 32bit Windows Server 2008 and 64bit Windows Server 2003. I built up a 32bit Windows Server 2008 and tested using the code I posted yesterday. Sure enough, the ProcessName was truncated. I still want to build up a 64bit Windows Server 2003 box, but it’s not a priority since this appears to be a 2008 issue.

Work-around To Track Process Lifetime

Since we can’t use the ProcessName reliably on Windows Server 2008, I need a better way to link the start-ups and the terminations. A simple solution is to also track the ProcessID which is provided in both the Win32_ProcessStartTrace and Win32_ProcessStopTrace objects. When a Start is triggered, I just keep track of both the ProcessName and ProcessID. When I get the Stop event, I can look back on the cached ProcessName using the ProcessID received in the Stop event.

I’m planning on posting this bug to Microsoft Connect once I find the right section to do that in.

Share this: