I'm using Windows 7 and I'd like to monitor for new Process Create events. (i.e. get an entry for each process that's created, with full details about it.) I succeeded in doing this in Procmon, but I want to do it in the shell, and get text output without a GUI.
Is there a CLI command that does that? e.g. I could tell it "Please list all events of the type so-and-so with a path of so-and-so" and it'll run indefinitely, writing details of these processes to stdout?
You can build your own using the Microsoft.Diagnostics.Tracing.TraceEvent nuget package. It's a wrapper over ETW (Event Tracing for Windows) events, and its developed my Microsoft.
Here is some sample C# Console Application code that displays all process Start and Stop events:
using System;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;
namespace ProcMon
{
class Program
{
static void Main(string[] args)
{
if (TraceEventSession.IsElevated() != true)
{
Console.WriteLine("To turn on ETW events you need to be Administrator, please run from an Admin process.");
return;
}
using (var session = new TraceEventSession("whatever"))
{
// handle console CTRL+C gracefully
Console.CancelKeyPress += (sender, e) => session.Stop();
// we filter on events we need
session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process);
session.Source.Kernel.ProcessStart += data =>
{
Console.WriteLine("START Id:" + data.ProcessID + " Name:" + data.ProcessName);
};
session.Source.Kernel.ProcessStop += data =>
{
// stop has no name
Console.WriteLine("STOP Id:" + data.ProcessID);
};
// runs forever, press CTRL+C to stop
session.Source.Process();
}
}
}
}
© 2022 - 2024 — McMap. All rights reserved.
Microsoft.Diagnostics.Tracing.TraceEventnuget package (by Microsoft). There is a sample here https://mcmap.net/q/1097744/-how-is-it-possible-to-understand-which-process-deletes-a-file-on-the-hard-drive that does something different but all the events are available. – Dovecote