3

I'm using Windows 7 and I'd like to monitor for new Process Create events. (i.e. get an entry for each process that's created, with full details about it.) I succeeded in doing this in Procmon, but I want to do it in the shell, and get text output without a GUI.

Is there a CLI command that does that? e.g. I could tell it "Please list all events of the type so-and-so with a path of so-and-so" and it'll run indefinitely, writing details of these processes to stdout?

Ram Rachum
  • 84,019
  • 84
  • 236
  • 374
  • What you can do is build one relatively easily using C# and the cool `Microsoft.Diagnostics.Tracing.TraceEvent` nuget package (by Microsoft). There is a sample here https://stackoverflow.com/a/51722043/403671 that does something different but all the events are available. – Simon Mourier Oct 12 '18 at 16:54
  • @SimonMourier That's interesting and I explored them some, but you gotta wonder, am I really the first person to want this? – Ram Rachum Oct 13 '18 at 13:29
  • Well, on the windows platform (you seem to be coming from other worlds :-), many people are happy with GUIs. It tends to change these days because of cloud platforms where only CLIs are available... – Simon Mourier Oct 13 '18 at 14:03

1 Answers1

0

You can build your own using the Microsoft.Diagnostics.Tracing.TraceEvent nuget package. It's a wrapper over ETW (Event Tracing for Windows) events, and its developed my Microsoft.

Here is some sample C# Console Application code that displays all process Start and Stop events:

using System;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;

namespace ProcMon
{
    class Program
    {
        static void Main(string[] args)
        {
            if (TraceEventSession.IsElevated() != true)
            {
                Console.WriteLine("To turn on ETW events you need to be Administrator, please run from an Admin process.");
                return;
            }

            using (var session = new TraceEventSession("whatever"))
            {
                // handle console CTRL+C gracefully
                Console.CancelKeyPress += (sender, e) => session.Stop();

                // we filter on events we need
                session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process);

                session.Source.Kernel.ProcessStart += data =>
                {
                    Console.WriteLine("START Id:" + data.ProcessID + " Name:" + data.ProcessName);
                };

                session.Source.Kernel.ProcessStop += data =>
                {
                    // stop has no name
                    Console.WriteLine("STOP Id:" + data.ProcessID);
                };

                // runs forever, press CTRL+C to stop
                session.Source.Process();
            }
        }
    }
}
Simon Mourier
  • 132,049
  • 21
  • 248
  • 298