1

I have a script "build.bat", it can start arbitrary processes inside. How to log all CreateProcess invocations from all processes inside?

On Linux I can run this to accomplish the same:

strace ./myprogram | grep CreateProcess > log

Is there a simple (CLI) solution for Windows?

warchantua
  • 1,154
  • 1
  • 10
  • 24
  • 2
    Your title does not match your question. Do you want to just log that the invocations are happening ([there are events for that](https://stackoverflow.com/questions/3556048/)), or do you want to actually change the logic of what the invocations do (requires detouring `CreateProcess()` in each process)? Two different things. – Remy Lebeau Jun 07 '22 at 17:04
  • @RemyLebeau updated the title. Hope it's more clear now. I want to just log all invocations + all arguments. I know that ProcessMonitor can be used for that but I need a CLI tool for the task. – warchantua Jun 07 '22 at 19:01
  • 2
    [How to: Use LogMan to Collect Event Trace Data](https://learn.microsoft.com/en-us/dynamics-nav/how-to--use-logman-to-collect-event-trace-data). – IInspectable Jun 08 '22 at 06:04

1 Answers1

1

While it's not a CLI tool, the Process Monitor from Microsoft SysInternals allows you to do so. There you can follow all syscalls a process makes (or rather: all processes), similar to what strace does on Linux/etc. But instead of starting it together with the program, you start it separately.

If you're used to Linux it's a bit clumsy to understand how the interface works (especially when it comes to filtering), and it definitely has a much worse user experience than strace in my opinion. Despite this though it's been an invaluable development tool on Windows for me.

Just don't leave it running in capture mode while you're doing something unrelated, otherwise it will collect enormous amounts of data. (And possibly slow your system down.)

chris_se
  • 1,006
  • 1
  • 7