Procmon 的命令行版本 [英] Command line version of Procmon

问题描述

我使用的是 Windows 7，我想监视新的进程创建事件.(即为每个创建的进程获取一个条目，并提供有关它的完整详细信息.)我在 Procmon 中成功地做到了这一点，但我想在 shell 中做到这一点，并在没有 GUI 的情况下获得文本输出.

I'm using Windows 7 and I'd like to monitor for new Process Create events. (i.e. get an entry for each process that's created, with full details about it.) I succeeded in doing this in Procmon, but I want to do it in the shell, and get text output without a GUI.

是否有执行此操作的 CLI 命令?例如我可以告诉它请用某某路径列出某某类型的所有事件"，它会无限期地运行，将这些进程的详细信息写入标准输出?

Is there a CLI command that does that? e.g. I could tell it "Please list all events of the type so-and-so with a path of so-and-so" and it'll run indefinitely, writing details of these processes to stdout?

推荐答案

您可以使用 Microsoft.Diagnostics.Tracing.TraceEvent nuget 包.它是 ETW(Windows 事件跟踪) 事件，它发展了我的 Microsoft.

You can build your own using the Microsoft.Diagnostics.Tracing.TraceEvent nuget package. It's a wrapper over ETW (Event Tracing for Windows) events, and its developed my Microsoft.

以下是一些示例 C# 控制台应用程序代码，显示所有进程启动和停止事件:

Here is some sample C# Console Application code that displays all process Start and Stop events:

using System;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;

namespace ProcMon
{
    class Program
    {
        static void Main(string[] args)
        {
            if (TraceEventSession.IsElevated() != true)
            {
                Console.WriteLine("To turn on ETW events you need to be Administrator, please run from an Admin process.");
                return;
            }

            using (var session = new TraceEventSession("whatever"))
            {
                // handle console CTRL+C gracefully
                Console.CancelKeyPress += (sender, e) => session.Stop();

                // we filter on events we need
                session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process);

                session.Source.Kernel.ProcessStart += data =>
                {
                    Console.WriteLine("START Id:" + data.ProcessID + " Name:" + data.ProcessName);
                };

                session.Source.Kernel.ProcessStop += data =>
                {
                    // stop has no name
                    Console.WriteLine("STOP Id:" + data.ProcessID);
                };

                // runs forever, press CTRL+C to stop
                session.Source.Process();
            }
        }
    }
}

这篇关于Procmon 的命令行版本的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！