-
Notifications
You must be signed in to change notification settings - Fork 75
Command line Process Monitor log collection
Ashish Gehani edited this page Nov 3, 2021
·
7 revisions
This page describes how to use Process Monitor from the command line. It can be used in a headless Windows 10 VirtualBox virtual machine (VM).
- Create and start a Windows 10 VM using VirtualBox.
- Open PowerShell with Administrator privileges and enable `OpenSSH server'. To do so, follow the steps here.
- Download and extract Process Monitor.
- Stop the Windows VirtualBox VM.
- In VirtualBox, update the Windows VM networking settings to enable port forwarding from host
0.0.0.0:2222to guest<guest_ip>:22.-
guest_ipcan be found with the Windows commandipconfig.
-
- Start the VirtualBox Windows VM with the `Headless Start’ option.
- This can be done at the command line with
VBoxManage.
- This can be done at the command line with
- On the host machine, use an
sshclient to connect to the Windows VM:ssh <windows_user_name>@localhost -p 2222
- In a Windows shell, navigate to the directory where Process Monitor was extracted.
- Download the SPADE Process Monitor configuration from here.
- Start Process Monitor to capture events:
.\Procmon64.exe /BackingFile .\audit.pml /NoFilter /AcceptEula /LoadConfig .\spade.reporter.ProcMon.pmc /Quiet-
/BackingFile: Only PML format is supported for the log to be saved. It will be converted to XML later. -
/NoFilter: Do not use any saved/default filters. -
/AcceptEula: Prevent a pop-up from appearing if Process Monitor has never been used before. -
/LoadConfig: Path to the configuration file that specifies the items required. -
/Quiet: Suppress the filter confirmation pop-up.
-
- Perform the activity that is to be recorded.
- Stop Process Monitor:
.\Procmon64.exe /Terminate.- If Process Monitor is otherwise terminated (via the
taskkillcommand, for example), the Process Monitor outputaudit.pmlfile may be corrupted. - To ensure that Process Monitor has stopped, the PowerShell command
Get-Process Procmon64can be used.
- If Process Monitor is otherwise terminated (via the
- The output file
audit.pmlcan be converted to XML using the command:.\Procmon64.exe /OpenLog .\audit.pml /LoadConfig .\spade.reporter.ProcMon.pmc /SaveAs .\audit.xml- This instance of Process Monitor does not need to be terminated explicitly. It will end when the conversion completes.
This material is based upon work supported by the National Science Foundation under Grants OCI-0722068, IIS-1116414, and ACI-1547467. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
- Setting up SPADE
- Storing provenance
-
Collecting provenance
- Across the operating system
- Limiting collection to a part of the filesystem
- From an external application
- With compile-time instrumentation
- Using the reporting API
- Of transactions in the Bitcoin blockchain
- Filtering provenance
- Viewing provenance
-
Querying SPADE
- Illustrative example
- Transforming query responses
- Protecting query responses
- Miscellaneous