powershell - Detect application close based on app user's name -

been trying create script detect user's application crash. (assume computer used multiple users)

so far managed come out below code query application (based on user name) not app close or crash

gwmi -query "select * win32_process name='calc.exe'" | %{if($_.getowner().user -eq 'myuser'){     #do when app crash }} 

you can use register-wmievent cmdlet register event win32_processstoptrace event class.

the win32_processstoptrace doesn't have getowner() method, can use current code gather process id's of processes you're interested in, , use in event query:

$username = 'myuser' $processname = 'calc.exe' $pidfilters = get-wmiobject -query "select * win32_process name='$processname'" |where-object {     $_.getowner().user -eq $username } |select-object -expandproperty processid |foreach-object {     "processid={0}" -f $_ }  $wmifilter = $pidfilters -join " or " 

now, have $wmifilter looks this:

processid=2468 or processid=11576 or processid=5426 

you can use in wmi query:

$wmiquery = "select * win32_processstoptrace ($wmifilter)" 

and register event register-wmievent:

register-wmievent -query $wmiquery -sourceidentifier calcstopevent -action {     $traceevent = $event.sourceeventargs.newevent     if($traceevent.exitstatus -ne 0){         # process didn't exit success/noerror         # send many emails!         # sound klaxon!         # call fire brigade!         # or, whatever feel ...     } }