监控进程创建

第一种通过监控进程创建，解析进程命令行参数是否有目标文件类型，实现检测文件关联打开。
文件关联是自带的文件管理器或没有任何关联，这情况判断不了，它没有进程创建。
适用于已经被第三方关联的情况下弹窗

#include <windows.h>
#include <wbemidl.h>
#include <iostream>
#include <algorithm>
#include <shlwapi.h>
#pragma comment(lib, "shlwapi.lib") // 链接库#include <comutil.h>  // 包含 _bstr_t 的定义
#pragma comment(lib, "comsuppw.lib")  // 链接 Unicode 版本的库#pragma comment(lib, "wbemuuid.lib")// 初始化 COM
HRESULT InitCOM() {HRESULT hr = CoInitializeEx(nullptr, COINIT_APARTMENTTHREADED);if (SUCCEEDED(hr)) {// 设置默认安全级别hr = CoInitializeSecurity(nullptr, -1, nullptr, nullptr,RPC_C_AUTHN_LEVEL_DEFAULT,RPC_C_IMP_LEVEL_IMPERSONATE,nullptr, EOAC_NONE, nullptr);}return hr;
}// 连接 WMI 服务
HRESULT ConnectWMI(IWbemServices**ppSvc) {IWbemLocator* pLoc = nullptr;HRESULT hr = CoCreateInstance(CLSID_WbemLocator, nullptr,CLSCTX_INPROC_SERVER, IID_IWbemLocator,(LPVOID*)&pLoc);if (SUCCEEDED(hr)) {// 连接到 root\CIMV2 命名空间hr = pLoc->ConnectServer(_bstr_t(L"ROOT\\CIMV2"),nullptr, nullptr, nullptr,0, nullptr, nullptr, ppSvc);pLoc->Release();if (SUCCEEDED(hr)) {// 设置 WMI 服务的安全上下文hr = CoSetProxyBlanket(*ppSvc, RPC_C_AUTHN_WINNT,RPC_C_AUTHZ_NONE, nullptr,RPC_C_AUTHN_LEVEL_CALL,RPC_C_IMP_LEVEL_IMPERSONATE,nullptr, EOAC_NONE);}}return hr;
}class ProcessCreationSink : public IWbemObjectSink {
public:LONG m_lRef;ProcessCreationSink() : m_lRef(1) {}// 引用计数实现STDMETHOD(QueryInterface)(REFIID riid, void** ppv) {if (riid == IID_IUnknown || riid == IID_IWbemObjectSink) {*ppv = this;AddRef();return S_OK;}return E_NOINTERFACE;}STDMETHOD_(ULONG, AddRef)() { return InterlockedIncrement(&m_lRef); }STDMETHOD_(ULONG, Release)() {if (InterlockedDecrement(&m_lRef) == 0) {delete this;return 0;}return m_lRef;}// 事件触发时调用：解析进程信息STDMETHOD(Indicate)(LONG lObjectCount, IWbemClassObject**apObjArray) {for (LONG i = 0; i < lObjectCount; i++) {// 获取新创建的进程实例（TargetInstance 为 Win32_Process）VARIANT vtTarget;HRESULT hr = apObjArray[i]->Get(L"TargetInstance", 0, &vtTarget, nullptr, nullptr);if (SUCCEEDED(hr) && vtTarget.vt == VT_UNKNOWN /*VT_DISPATCH*/){IWbemClassObject* pProcess = (IWbemClassObject*)vtTarget.pdispVal;// 获取进程名（Name 属性）VARIANT vtName;if (SUCCEEDED(pProcess->Get(L"Name", 0, &vtName, nullptr, nullptr))) {if (vtName.vt == VT_BSTR) {wprintf(L"\n检测到新进程：%s\t", vtName.bstrVal);}VariantClear(&vtName);}// 获取进程 PID（ProcessId 属性）VARIANT vtPid;if (SUCCEEDED(pProcess->Get(L"ProcessId", 0, &vtPid, nullptr, nullptr))) {if (vtPid.vt == VT_UI4|| vtPid.vt == VT_I4) {printf("进程 PID：%u\n", vtPid.ulVal);}VariantClear(&vtPid);}// 获取命令行VARIANT vtCmd;if (SUCCEEDED(pProcess->Get(L"CommandLine", 0, &vtCmd, nullptr, nullptr))) {if (vtCmd.vt == VT_BSTR && vtCmd.bstrVal != nullptr) {wprintf(L"命令行: %s\n", vtCmd.bstrVal);  // 输出命令行// 2. 解析为参数数组int argc; // 存储参数数量（含程序名）LPWSTR* argv = CommandLineToArgvW(vtCmd.bstrVal, &argc);if (argv == nullptr) {std::cerr << "解析命令行失败，错误码：" << GetLastError() << std::endl;return 1;}for (int i = 1; i < argc; ++i){//  std::wcout << L"参数 " << i << L"：" << argv[i] << std::endl;//处理当前是否是zipstd::wstring stline = argv[i];std::transform(stline.begin(), stline.end(), stline.begin(), towlower);if (/*PathFileExistsW(stline.c_str()) &&*/ stline.find(L".zip") != std::wstring::npos){LPCWSTR filename = PathFindFileNameW(stline.c_str());wprintf(L"你执行了%s文件关联！！！\n\n", filename);}}LocalFree(argv);}else {wprintf(L"(空或无法获取)\n");}VariantClear(&vtCmd);}//  pProcess->Release();}VariantClear(&vtTarget);}return S_OK;}// 状态通知（如事件订阅结束）STDMETHOD(SetStatus)(LONG lFlags, HRESULT hResult, BSTR strParam, IWbemClassObject* pObjParam) {return S_OK;}
};// 订阅进程创建事件
HRESULT SubscribeProcessCreation(IWbemServices* pSvc, IWbemObjectSink**ppSink) {// 创建事件接收器实例ProcessCreationSink* pSink = new ProcessCreationSink();*ppSink = pSink;// WQL 查询：监控 Win32_Process 的 __InstanceCreationEventBSTR query = _bstr_t(L"SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'");// 异步执行查询，订阅事件return pSvc->ExecNotificationQueryAsync(_bstr_t(L"WQL"), query,WBEM_FLAG_SEND_STATUS, nullptr,pSink);
}int main() {setlocale(LC_ALL, "");HRESULT hr = InitCOM();if (FAILED(hr)) {std::cerr << "COM 初始化失败" << std::endl;return 1;}IWbemServices* pSvc = nullptr;hr = ConnectWMI(&pSvc);if (FAILED(hr) || !pSvc) {std::cerr << "WMI 连接失败" << std::endl;CoUninitialize();return 1;}IWbemObjectSink* pSink = nullptr;hr = SubscribeProcessCreation(pSvc, &pSink);if (FAILED(hr) || !pSink) {std::cerr << "事件订阅失败" << std::endl;pSvc->Release();CoUninitialize();return 1;}// 等待事件（按任意键退出）std::wcout << L"正在监控进程创建...（按任意键退出）" << std::endl;/* getchar();*/MSG msg;while (GetMessage(&msg, NULL, 0, 0)){// 调试输出std::cout << "处理消息: " << msg.message << std::endl;TranslateMessage(&msg);DispatchMessage(&msg);}// 清理资源pSvc->CancelAsyncCall(pSink); // 取消订阅pSink->Release();pSvc->Release();CoUninitialize();return 0;
}

第二种方案从双击时从窗口获取选择的文件类型
获取文件管理器和桌面中选择的文件