Using Window Procedures

This section explains how to perform the following tasks associated with window procedures.

Designing a Window Procedure

The following example shows the structure of a typical window procedure. The window procedure uses the message argument in a switch statement with individual messages handled by separate case statements. Notice that each case returns a specific value for each message. For messages that it does not process, the window procedure calls the DefWindowProc function.

The WM_NCCREATE message is sent just after your window is created, but if an application responds to this message by returning FALSE, CreateWindowEx function fails. The WM_CREATE message is sent after your window is already created.

The WM_DESTROY message is sent when your window is about to be destroyed. The DestroyWindow function takes care of destroying any child windows of the window being destroyed. The WM_NCDESTROY message is sent just before a window is destroyed.

At the very least, a window procedure should process the WM_PAINT message to draw itself. Typically, it should handle mouse and keyboard messages as well. Consult the descriptions of individual messages to determine whether your window procedure should handle them.

Your application can call the DefWindowProc function as part of the processing of a message. In such a case, the application can modify the message parameters before passing the message to DefWindowProc, or it can continue with the default processing after performing its own operations.

A dialog box procedure receives a WM_INITDIALOG message instead of a WM_CREATE message and does not pass unprocessed messages to the DefDlgProc function. Otherwise, a dialog box procedure is exactly the same as a window procedure.

Associating a Window Procedure with a Window Class

You associate a window procedure with a window class when registering the class. You must fill a WNDCLASS structure with information about the class, and the lpfnWndProc member must specify the address of the window procedure. To register the class, pass the address of WNDCLASS structure to the RegisterClass function. After the window class has been registered, the window procedure is automatically associated with each new window created with that class.

The following example shows how to associate the window procedure in the previous example with a window class.

Subclassing a Window

To subclass an instance of a window, call the SetWindowLong function and specify the handle to the window to subclass the GWL_WNDPROC flag and a pointer to the subclass procedure. SetWindowLong returns a pointer to the original window procedure; use this pointer to pass messages to the original procedure. The subclass window procedure must use the CallWindowProc function to call the original window procedure.

To write code that is compatible with both 32-bit and 64-bit versions of Windows, use the SetWindowLongPtr function.

The following example shows how to subclass an instance of an edit control in a dialog box. The subclass window procedure enables the edit control to receive all keyboard input, including the ENTER and TAB keys, whenever the control has the input focus.

How to remove the wind virus

Most antivirus programs identify wind.exe as malware—for instance Microsoft identifies it as Backdoor:Win32/Gaertob.A or Worm:Win32/Debllama.A, and Kaspersky identifies it as Trojan.Win32.Antavmu.gmr or Worm.Win32.VB.xa.

The free file information forum can help you find out how to remove it. If you have additional information about this file, please leave a comment or a suggestion for other users.

Wind.exe file information

The process known as wind.exe belongs to software propaganda by The Devil.

Description: Wind.exe is not essential for Windows and will often cause problems. The wind.exe file is located in the C:\Windows\System32 folder. The file size on Windows 10/8/7/XP is 61,440 bytes.
There is no description of the program. Wind.exe is not a Windows core file. Wind.exe is able to manipulate other programs. Therefore the technical security rating is 41% dangerous.

If wind.exe is located in the C:\Windows folder, the security rating is 96% dangerous. The file size is 69,632 bytes. The program has no file description. The file is an unknown file in the Windows folder. The program has no visible window. The application is loaded during the Windows boot process (see Registry key: MACHINE\Run ). The application listens for or sends data on open ports to a LAN or the Internet. The wind.exe file is not a Windows core file.

External information from Paul Collins:

• «wind.exe» definitely not required. Added by the MITGLIEDER.BD TROJAN!

Important: You should check the wind.exe process on your PC to see if it is a threat. We recommend Security Task Manager for verifying your computer’s security. This was one of the Top Download Picks of The Washington Post and PC World.

Score

User Comments

There are no user opinions yet. Why not be the first to write a short comment?

Best practices for resolving wind issues

The following programs have also been shown useful for a deeper analysis: A Security Task Manager examines the active wind process on your computer and clearly tells you what it is doing. Malwarebytes’ well-known B anti-malware tool tells you if the wind.exe on your computer displays annoying ads, slowing it down. This type of unwanted adware program is not considered by some antivirus software to be a virus and is therefore not marked for cleanup.

A clean and tidy computer is the key requirement for avoiding PC trouble. This means running a scan for malware, cleaning your hard drive using 1 cleanmgr and 2 sfc /scannow, 3 uninstalling programs that you no longer need, checking for Autostart programs (using 4 msconfig) and enabling Windows’ 5 Automatic Update. Always remember to perform periodic backups, or at least to set restore points.

What is wins.exe?

The genuine file is a software component of Windows Internet Name Service by Microsoft .
A background process for very early versions of Microsoft Windows, this application provides IP address resolution to domain names. It is the immediate predecessor to modern DNS and is no longer supported. Founded in 1975, Microsoft’s flagship product is the Windows operating system, which is installed on over 90% of workstations worldwide.

The .exe extension on a filename indicates an exe cutable file. Executable files may, in some cases, harm your computer. Therefore, please read below to decide for yourself whether the wins.exe on your computer is a Trojan that you should remove, or whether it is a file belonging to the Windows operating system or to a trusted application.

Wins.exe file information

Description: Wins.exe is not essential for Windows and will often cause problems. Wins.exe is located in a subfolder of C:\Windows\System32—mostly C:\Windows\System32\config\systemprofile\Impostazioni locali\Dati applicazioni\Windows Internet Name Service\ or C:\Windows\System32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Windows Internet Name Service\. Known file sizes on Windows 10/8/7/XP are 4,726,784 bytes (40% of all occurrences), 2,497,024 bytes and 6 more variants .
The application has no file description. The program is not visible. Wins.exe is an unknown file in the Windows folder. It is not a Windows system file. The application listens for or sends data on open ports to a LAN or the Internet. Wins.exe is able to monitor applications. Therefore the technical security rating is 71% dangerous, but you should also take into account the user reviews.

• If wins.exe is located in a subfolder of C:\Windows, the security rating is 56% dangerous. The file size is 4,726,784 bytes (66% of all occurrences) or 1,400,832 bytes. It is an unknown file in the Windows folder. It is not a Windows core file. There is no description of the program. The program is not visible. Wins.exe is able to monitor applications.
• If wins.exe is located in the C:\Windows\System32 folder, the security rating is 24% dangerous. The file size is 1,400,832 bytes. The software has no file description. The file is not a Windows system file. The program has a visible window. The wins.exe file is an unknown file in the Windows folder.

External information from Paul Collins:

• «msconfig» definitely not required.

Writing the Window Procedure

The DispatchMessage function calls the window procedure of the window that is the target of the message. The window procedure has the following signature.

There are four parameters:

• hwnd is a handle to the window.
• uMsg is the message code; for example, the WM_SIZE message indicates the window was resized.
• wParam and lParam contain additional data that pertains to the message. The exact meaning depends on the message code.

LRESULT is an integer value that your program returns to Windows. It contains your program’s response to a particular message. The meaning of this value depends on the message code. CALLBACK is the calling convention for the function.

A typical window procedure is simply a large switch statement that switches on the message code. Add cases for each message that you want to handle.

Additional data for the message is contained in the lParam and wParam parameters. Both parameters are integer values the size of a pointer width (32 bits or 64 bits). The meaning of each depends on the message code (uMsg). For each message, you will need to look up the message code on MSDN and cast the parameters to the correct data type. Usually the data is either a numeric value or a pointer to a structure. Some messages do not have any data.

For example, the documentation for the WM_SIZE message states that:

• wParam is a flag that indicates whether the window was minimized, maximized, or resized.
• lParam contains the new width and height of the window as 16-bit values packed into one 32- or 64-bit number. You will need to perform some bit-shifting to get these values. Fortunately, the header file WinDef.h includes helper macros that do this.

A typical window procedure handles dozens of messages, so it can grow quite long. One way to make your code more modular is to put the logic for handling each message in a separate function. In the window procedure, cast the wParam and lParam parameters to the correct data type, and pass those values to the function. For example, to handle the WM_SIZE message, the window procedure would look like this:

The LOWORD and HIWORD macros get the 16-bit width and height values from lParam. (You can look up these kinds of details in the MSDN documentation for each message code.) The window procedure extracts the width and height, and then passes these values to the OnSize function.

Default Message Handling

If you don’t handle a particular message in your window procedure, pass the message parameters directly to the DefWindowProc function. This function performs the default action for the message, which varies by message type.

Avoiding Bottlenecks in Your Window Procedure

While your window procedure executes, it blocks any other messages for windows created on the same thread. Therefore, avoid lengthy processing inside your window procedure. For example, suppose your program opens a TCP connection and waits indefinitely for the server to respond. If you do that inside the window procedure, your UI will not respond until the request completes. During that time, the window cannot process mouse or keyboard input, repaint itself, or even close.

Instead, you should move the work to another thread, using one of the multitasking facilities that are built into Windows:

• Create a new thread.
• Use a thread pool.
• Use asynchronous I/O calls.
• Use asynchronous procedure calls.

Win32_Process class

The Win32_Process WMI class represents a process on an operating system.

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties.

For a general discussion on Processes and Threads within Windows, please see the topic Processes and Threads.

Syntax

Members

The Win32_Process class has these types of members:

Methods

The Win32_Process class has these methods.

Method	Description
AttachDebugger	Launches the currently registered debugger for a process.
Create	Creates a new process.
GetAvailableVirtualSize	Retrieves the current size, in bytes, of the free virtual address space available to the process. Windows ServerВ 2012, WindowsВ 8, WindowsВ 7, Windows ServerВ 2008 and WindowsВ Vista: This method is not supported before WindowsВ 8.1 and Windows ServerВ 2012В R2.
GetOwner	Retrieves the user name and domain name under which the process is running.
GetOwnerSid	Retrieves the security identifier (SID) for the owner of a process.
SetPriority	Changes the execution priority of a process.
Terminate	Terminates a process and all of its threads.

Properties

The Win32_Process class has these properties.

Caption

Data type: string

Access type: Read-only

Short description of an object—a one-line string.

CommandLine

Data type: string

Access type: Read-only

Qualifiers: DisplayName («Command Line To Start Process»)

Command line used to start a specific process, if applicable.

CreationClassName

Data type: string

Access type: Read-only

Name of the class or subclass used in the creation of an instance. When used with other key properties of the class, this property allows all instances of the class and its subclasses to be uniquely identified.

CreationDate

Data type: datetime

Access type: Read-only

Date the process begins executing.

CSCreationClassName

Data type: string

Access type: Read-only

Creation class name of the scoping computer system.

CSName

Data type: string

Access type: Read-only

Name of the scoping computer system.

Description

Data type: string

Access type: Read-only

Description of an object.

ExecutablePath

Data type: string

Access type: Read-only

Path to the executable file of the process.

ExecutionState

Data type: uint16

Access type: Read-only

Current operating condition of the process.

Unknown (0)

Other (1)

Ready (2)

Running (3)

Blocked (4)

Suspended Blocked (5)

Suspended Ready (6)

Terminated (7)

Stopped (8)

Growing (9)

Handle

Data type: string

Access type: Read-only

HandleCount

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|HandleCount»), DisplayName («Handle Count»)

Total number of open handles owned by the process. HandleCount is the sum of the handles currently open by each thread in this process. A handle is used to examine or modify the system resources. Each handle has an entry in a table that is maintained internally. Entries contain the addresses of the resources and data to identify the resource type.

InstallDate

Data type: datetime

Access type: Read-only

Date an object is installed. The object may be installed without a value being written to this property.

KernelModeTime

Data type: uint64

Access type: Read-only

Time in kernel mode, in milliseconds. If this information is not available, use a value of 0 (zero).

For more information about using uint64 values in scripts, see Scripting in WMI.

MaximumWorkingSetSize

Data type: uint32

Access type: Read-only

Maximum working set size of the process. The working set of a process is the set of memory pages visible to the process in physical RAM. These pages are resident, and available for an application to use without triggering a page fault.

MinimumWorkingSetSize

Data type: uint32

Access type: Read-only

Minimum working set size of the process. The working set of a process is the set of memory pages visible to the process in physical RAM. These pages are resident and available for an application to use without triggering a page fault.

Name

Data type: string

Access type: Read-only

Name of the executable file responsible for the process, equivalent to the Image Name property in Task Manager.

When inherited by a subclass, the property can be overridden to be a key property. The name is hard-coded into the application itself and is not affected by changing the file name. For example, even if you rename Calc.exe, the name Calc.exe will still appear in Task Manager and in any WMI scripts that retrieve the process name.

OSCreationClassName

Data type: string

Access type: Read-only

Creation class name of the scoping operating system.

OSName

Data type: string

Access type: Read-only

Name of the scoping operating system.

OtherOperationCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process and Thread Structures|SYSTEM_PROCESS_INFORMATION|OtherOperationCount»), DisplayName («Other Operation Count»)

Number of I/O operations performed that are not read or write operations.

For more information about using uint64 values in scripts, see Scripting in WMI.

OtherTransferCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process and Thread Structures|SYSTEM_PROCESS_INFORMATION|OtherTransferCount»), DisplayName («Other Transfer Count»), Units («bytes»)

Amount of data transferred during operations that are not read or write operations.

For more information about using uint64 values in scripts, see Scripting in WMI.

PageFaults

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|PageFaultCount»), DisplayName («Number Of Page Faults»)

Number of page faults that a process generates.

PageFileUsage

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|PagefileUsage»), DisplayName («Page File Usage»), Units («kilobytes»)

Amount of page file space that a process is using currently. This value is consistent with the VMSize value in TaskMgr.exe.

ParentProcessId

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|InheritedFromUniqueProcessId»), DisplayName («Parent Process Id»)

Unique identifier of the process that creates a process. Process identifier numbers are reused, so they only identify a process for the lifetime of that process. It is possible that the process identified by ParentProcessId is terminated, so ParentProcessId may not refer to a running process. It is also possible that ParentProcessId incorrectly refers to a process that reuses a process identifier. You can use the CreationDate property to determine whether the specified parent was created after the process represented by this Win32_Process instance was created.

PeakPageFileUsage

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|PeakPagefileUsage»), DisplayName («Peak Page File Usage»), Units («kilobytes»)

Maximum amount of page file space used during the life of a process.

PeakVirtualSize

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|PeakVirtualSize»), DisplayName («Peak Virual Address Space Usage»), Units («bytes»)

Maximum virtual address space a process uses at any one time. Using virtual address space does not necessarily imply corresponding use of either disk or main memory pages. However, virtual space is finite, and by using too much the process might not be able to load libraries.

For more information about using uint64 values in scripts, see Scripting in WMI.

PeakWorkingSetSize

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|PeakWorkingSetSize»), DisplayName («Peak Working Set Size»), Units («kilobytes»)

Peak working set size of a process.

Priority

Data type: uint32

Access type: Read-only

Scheduling priority of a process within an operating system. The higher the value, the higher priority a process receives. Priority values can range from 0 (zero), which is the lowest priority to 31, which is highest priority.

PrivatePageCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|PrivatePageCount»), DisplayName («Private Page Count»)

Current number of pages allocated that are only accessible to the process represented by this Win32_Process instance.

For more information about using uint64 values in scripts, see Scripting in WMI.

ProcessId

Data type: uint32

Access type: Read-only

Numeric identifier used to distinguish one process from another. ProcessIDs are valid from process creation time to process termination. Upon termination, that same numeric identifier can be applied to a new process.

This means that you cannot use ProcessID alone to monitor a particular process. For example, an application could have a ProcessID of 7, and then fail. When a new process is started, the new process could be assigned ProcessID 7. A script that checked only for a specified ProcessID could thus be «fooled» into thinking that the original application was still running.

QuotaNonPagedPoolUsage

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|QuotaNonPagedPoolUsage»), DisplayName («Non-Paged Pool Usage Quota»)

Quota amount of nonpaged pool usage for a process.

QuotaPagedPoolUsage

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|QuotaPagedPoolUsage»), DisplayName («Paged Pool Usage Quota»)

Quota amount of paged pool usage for a process.

QuotaPeakNonPagedPoolUsage

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|QuotaPeakNonPagedPoolUsage»), DisplayName («Peak Non-Paged Pool Usage Quota»)

Peak quota amount of nonpaged pool usage for a process.

QuotaPeakPagedPoolUsage

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|QuotaPeakPagedPoolUsage»), DisplayName («Peak Paged Pool Usage Quota»)

Peak quota amount of paged pool usage for a process.

ReadOperationCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process and Thread Structures|SYSTEM_PROCESS_INFORMATION|ReadOperationCount»), DisplayName («Read Operation Count»)

Number of read operations performed.

For more information about using uint64 values in scripts, see Scripting in WMI.

ReadTransferCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process and Thread Structures|SYSTEM_PROCESS_INFORMATION|ReadTransferCount»), DisplayName («Read Transfer Count»), Units («bytes»)

Amount of data read.

For more information about using uint64 values in scripts, see Scripting in WMI.

SessionId

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|SessionId»), DisplayName («Session Id»)

Unique identifier that an operating system generates when a session is created. A session spans a period of time from logon until logoff from a specific system.

Status

Data type: string

Access type: Read-only

This property is not implemented and does not get populated for any instance of this class. It is always NULL.

Values include the following:

OK («OK»)

Error («Error»)

Degraded («Degraded»)

Unknown («Unknown»)

Pred Fail («Pred Fail»)

Starting («Starting»)

Stopping («Stopping»)

Service («Service»)

Stressed («Stressed»)

NonRecover («NonRecover»)

No Contact («No Contact»)

Lost Comm («Lost Comm»)

TerminationDate

Data type: datetime

Access type: Read-only

Process was stopped or terminated. To get the termination time, a handle to the process must be held open. Otherwise, this property returns NULL.

ThreadCount

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|NumberOfThreads»), DisplayName («Thread Count»)

Number of active threads in a process. An instruction is the basic unit of execution in a processor, and a thread is the object that executes an instruction. Each running process has at least one thread.

UserModeTime

Data type: uint64

Access type: Read-only

Time in user mode, in 100 nanosecond units. If this information is not available, use a value of 0 (zero).

For more information about using uint64 values in scripts, see Scripting in WMI.

VirtualSize

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|VirtualSize»), DisplayName («Virtual Address Space Usage»), Units («bytes»)

Current size of the virtual address space that a process is using, not the physical or virtual memory actually used by the process. Using virtual address space does not necessarily imply corresponding use of either disk or main memory pages. Virtual space is finite, and by using too much, the process might not be able to load libraries. This value is consistent with what you see in Perfmon.exe.

For more information about using uint64 values in scripts, see Scripting in WMI.

WindowsVersion

Data type: string

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process and Thread Functions|GetProcessVersion»), DisplayName («Windows Version»)

Version of Windows in which the process is running.

WorkingSetSize

Data type: uint64

Access type: Read-only

Amount of memory in bytes that a process needs to execute efficiently—for an operating system that uses page-based memory management. If the system does not have enough memory (less than the working set size), thrashing occurs. If the size of the working set is not known, use NULL or 0 (zero). If working set data is provided, you can monitor the information to understand the changing memory requirements of a process.

For more information about using uint64 values in scripts, see Scripting in WMI.

WriteOperationCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process and Thread Structures|SYSTEM_PROCESS_INFORMATION|WriteOperationCount»), DisplayName («Write Operation Count»)

Number of write operations performed.

For more information about using uint64 values in scripts, see Scripting in WMI.

WriteTransferCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings («Win32API|Process and Thread Structures|SYSTEM_PROCESS_INFORMATION|WriteTransferCount»), DisplayName («Write Transfer Count»), Units («bytes»)

Amount of data written.

For more information about using uint64 values in scripts, see Scripting in WMI.

Remarks

The Win32_Process class is derived from CIM_Process. The calling process that uses this class must have the SE_RESTORE_NAME privilege on the computer in which the registry resides. For more information, see Executing Privileged Operations.

Overview

Processes underlie almost everything that happens on a computer. In fact, the root cause of most computer problems can be traced to processes; for example, too many processes might be running on a computer (and contending for a finite set of resources), or a single process might be using more than its share of resources. These factors make it important to keep a close watch on the processes running on a computer. Process monitoring, the main activity in process management, allows you to determine what a computer actually does, what applications the computer runs, and how those applications are affected by changes in the computing environment.

Monitoring a Process

Monitoring processes on a regular basis helps you ensure that a computer runs at peak efficiency and that it carries out its appointed tasks as expected. For example, by monitoring processes you can be notified immediately of any application that has stopped responding, and then take steps to end that process. In addition, process monitoring enables you to identify problems before they occur. For example, by repeatedly checking the amount of memory used by a process, you can identify a memory leak. You can then stop the process before the errant application uses all of the available memory and brings the computer to a halt.

Process monitoring also helps minimize the disruptions caused by planned outages for upgrades and maintenance. For example, by checking the status of a database application running on client computers, you can determine the impact of taking the database offline in order to upgrade the software.

Monitoring process availability. Measures the percentage of time that a process is available. Availability is typically monitored by use of a simple probe, which reports whether the process is still running. By keeping track of the results of each probe, you can calculate the availability of the process. For example, a process that is probed 100 times and responds on 95 of those occasions has an availability of 95 percent. This type of monitoring is typically reserved for databases, mail programs, and other applications that are expected to run at all times. It is not appropriate for word processing programs, spreadsheets, or other applications that are routinely started and stopped several times a day.

You can create an instance of the Win32_ProcessStartup class to configure the process.

You can monitor process performance with the Win32_PerfFormattedData_PerfProc_Process class and a WMI refresher object, such as SWbemRefresher. For more information, see Monitoring Performance Data.

Examples

The List the Properties of WMI Classes PowerShell code sample on TechNet Gallery describes the Win32_Process class, and outputs the results in Excel format.

The Terminate running process on multiple servers terminates a process running on a single or multiple computers.

In the Example: Calling a Provider Method topic, the code uses C++ to call Win32_Process to create a process.

Availability is the simplest form of process monitoring: with this approach, you simply ensure that the process is running. When you monitor for process availability, you typically retrieve a list of processes running on a computer and then verify that a particular process is still active. If the process is active, it is considered available. If the process is not active, it is not available. The following VBScript sample monitors process availability by checking the list of processes running on a computer and issuing a notification if the Database.exe process is not found.

The following VBScript sample monitors process creation using a temporary event consumer.

The following VBScript monitors process performance information.

The following VBScript code example shows how to obtain the owner of each process on a local computer. You can use this script to obtain data from a remote computer, for example, to determine which users have processes running terminal server, substitute the name of the remote computer for «.» in the first line. You must also be an administrator on the remote machine.