Monitor newly started processes

[Unc3nZureD]

As the title says, I'd like to get informed when a new process starts. Here's my current code, but I've got no idea why it isn't working. Theoritically it should work.

#include <Array.au3>

$base = ProcessList()
$open = FileOpen(@ScriptDir & "\ProcLog.log", 1)
$Size = UBound($base) - 1
$new = 0

While 1
    $proc = ProcessList()
    $procS = UBound($base) - 1

    For $i = 1 To UBound($procS) - 1
        _ArraySearch($base, $proc[$i][1])
        If @error Then
            FileWrite($open, ">>> New process: " & $proc[$i][0]  & @crlf)
            MsgBox(0,"", "new process!", 1)
            $new += 1
        EndIf

        If $i = UBound($procS) - 1 & $new > 0 Then
            $base = ProcessList()
            $Size = UBound($base) - 1
            $new = 0
        EndIf
    Next
WEnd

[guinness]

Search the Forum for $HSHELL_APPCOMMAND and use GUIRegisterMsg.

Note: You will need WinAPIEx to hand.

[Unc3nZureD]

Well, I can't really understand you...

msdn says:

 

The user completed an input event (for example, pressed an application command button on the mouse or an application command key on the keyboard), and the application did not handle the WM_APPCOMMANDmessage generated by that input.

If the Shell procedure handles the WM_COMMAND message, it should not call CallNextHookEx. See the Return Value section for more information.

 

GUIRegisterMsg? Well, I've really got no idea what you're thinking of

I tried the following one:

'?do=embed' frameborder='0' data-embedContent>>

Which hooks the following one:

Case $HSHELL_APPCOMMAND
            MsgPrint("HSHELL_APPCOMMAND: " & $lParam)

But, it did nothing when I opened a new process (except of notifying me about it's newly created window, but not about the process).

[guinness]

I will provide an example later on then.

[guinness]

expandcollapse popup

#include <GUIConstantsEx.au3>
#include <WinAPIEx.au3>

Example()

Func Example()
    Local $hGUI = GUICreate('An(other) example by guinness - 2013', Default, Default) ; Create a GUI.
    GUISetState(@SW_SHOW, $hGUI)

    GUIRegisterMsg(_WinAPI_RegisterWindowMessage('SHELLHOOK'), 'WM_SHELLHOOK') ; Define a window message and assign to the WM_SHELLHOOK function.
    _WinAPI_RegisterShellHookWindow($hGUI) ; Register the shell hook message to our GUI.

    While 1
        Switch GUIGetMsg()
            Case $GUI_EVENT_CLOSE
                ExitLoop
        EndSwitch
    WEnd

    _WinAPI_DeregisterShellHookWindow($hGUI)
    GUIDelete($hGUI)
EndFunc   ;==>Example

Func WM_SHELLHOOK($hWnd, $iMsg, $wParam, $lParam)
    #forceref $iMsg
    Switch $wParam
        Case $HSHELL_REDRAW
            ConsoleWrite('Redrawn: ' & @CRLF & _
                    @TAB & 'PID: ' & WinGetProcess($lParam) & @CRLF & _ ; This is the PID.
                    @TAB & 'Filename: ' & _WinAPI_GetWindowFileName($lParam) & @CRLF & _ ; This is the filepath of the window.
                    @TAB & 'hWnd: ' & $lParam & @CRLF) ; This will be the handle of the window closed.

        Case $HSHELL_WINDOWCREATED
            ConsoleWrite('Created: ' & @CRLF & _
                    @TAB & 'PID: ' & WinGetProcess($lParam) & @CRLF & _ ; This is the PID.
                    @TAB & 'Filename: ' & _WinAPI_GetWindowFileName($lParam) & @CRLF & _ ; This is the filepath of the window.
                    @TAB & 'hWnd: ' & $lParam & @CRLF) ; This will be the handle of the window closed.

        Case $HSHELL_WINDOWDESTROYED
            ConsoleWrite('Destroyed: ' & @CRLF & _
                    @TAB & 'PID: ' & WinGetProcess($lParam) & @CRLF & _ ; This will be -1.
                    @TAB & 'Filename: ' & _WinAPI_GetWindowFileName($lParam) & @CRLF & _ ; This will be empty.
                    @TAB & 'hWnd: ' & $lParam & @CRLF) ; This will be the handle of the window closed.

    EndSwitch
EndFunc   ;==>WM_SHELLHOOK

This should give you an idea. Use GUICtrlSendToDummy so as not to stay too long in WM_SHELLHOOK.

Edited July 27, 2013 by guinness

[Unc3nZureD]

As I thought

This one is only working when the process has a window. What if the process has no window, it's just running in the background? If I'm right, and since I tried, I can say that it does nothing.

[guinness]

You're welcome.

[FireFox]

Hi,

WMI way:

#include <Constants.au3>

Local $oWMIService = ObjGet("winmgmts:\\.\root\CIMV2")
If @error Then
    MsgBox($MB_ICONHAND, Default, "Could not initialize WMI object !")
    Exit 1
EndIf

Local $oSink = ObjCreate("WbemScripting.SWbemSink")
ObjEvent($oSink, "SINK_")

Local $oContext = ObjCreate("WbemScripting.SWbemNamedValueSet")
$oContext.Add("hostname", ".")

$oWMIService.ExecNotificationQueryAsync($oSink, _
        "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'", _
        Default, Default, Default, $oContext)

While 1
    Sleep(10)
WEnd

Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext)
    Local $aObjData[3] = [ _
            $objLatestEvent.TargetInstance.ProcessId, _ ;pid
            $objLatestEvent.TargetInstance.Properties_.item("Name").value, _ ;pname
            $objLatestEvent.TargetInstance.ExecutablePath] ;ppath

    MsgBox($MB_SYSTEMMODAL, Default, "New process:" & @CrLf & _
            "pid: " & $aObjData[0] & @CrLf & _
            "name: " & $aObjData[1] & @CrLf & _
            "path: " & $aObjData[2])
EndFunc   ;==>SINK_OnObjectReady

Edit: Added indents.

Br, FireFox.

Edited July 27, 2013 by FireFox

[Unc3nZureD]

Lol, okay - sorry, I didn't want to be rude, just wrote a feedback Yes, it's a good solution, but not for my problem I should re-think my script again... Theoratically good, however I missed something...

It should make 2 different process list. An older and a current. If they are not the same, then write the difference, and update the old one.

[kylomas]

Unc3nZureD,

This is something I wrote long ago to monitor what is starting and stopping on my system.  There is also a "watchlist" to define a process to monitor and an action to take when the process being monitored starts and/or ends. 

This was designed to start with my system so I do NOT provide a way to terminate the script.

The sampling is timed (1 sec as I run it) so it is entirely possible to miss something that starts and ends within that interval.  I choose 1 sec because it fit my needs.

I see that Frefox posted a WMI solution as I was typing this.  That was going to be my second suggestion.

Anyway FWIW

expandcollapse popup

#RequireAdmin
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Icon=..\Icons\Syslog.ico
#AutoIt3Wrapper_Outfile_x64=..\EXE\syslog.exe
#AutoIt3Wrapper_UseUpx=n
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****

#include <array.au3>
#include <date.au3>
#include <string.au3>
#include <process.au3>
#Include <APIConstants.au3>
#Include <WinAPIEx.au3>
#Include <guiconstantsEx.au3>

;HotKeySet("{ESC}", "fini")

Global $oMyError = ObjEvent("AutoIt.Error","MyErrFunc"), $f_COMError = False

init()

#cs
    watchlist structure
    n,0 = process to watch for
    n,1 = program to run
    n,2 = program to run parm #1
    n,3 = this slot intentionally left blank
    n,4 = run program when process starts
    n,5 = run program when process ends
#ce

local $a_watchlist[20][6]

$a_watchlist[0][0] = "iexplore.exe"
$a_watchlist[0][1] = "c:\program files\ccleaner\ccleaner64.exe"
$a_watchlist[0][2] = "/auto"
$a_watchlist[0][3] = ""
$a_watchlist[0][4] = false
$a_watchlist[0][5] = true
$a_watchlist[1][0] = "wlmail.exe"
$a_watchlist[1][1] = "c:\program files\ccleaner\ccleaner64.exe"
$a_watchlist[1][2] = "/auto"
$a_watchlist[1][3] = ""
$a_watchlist[1][4] = false
$a_watchlist[1][5] = true
$a_watchlist[2][0] = "outlook.exe"
$a_watchlist[2][1] = "c:\program files\ccleaner\ccleaner64.exe"
$a_watchlist[2][2] = "/auto"
$a_watchlist[2][3] = ""
$a_watchlist[2][4] = false
$a_watchlist[2][5] = true

local $a_curractive, $a_prevactive = processlist()

while 1

    $a_curractive = processlist()
    checkstarts()
    checkends()
    $a_prevactive = $a_curractive

    sleep(1000)

wend

func checkstarts()

    local $hit
    for $i = 1 to $a_curractive[0][0]
        $hit = false
        for $j = 1 to $a_prevactive[0][0]
            if $a_curractive[$i][0] = $a_prevactive[$j][0] and $a_curractive[$i][1] = $a_prevactive[$j][1] then
                $hit = True
                exitloop
            endif
        next
        if $hit = false then
            ; got something new, log it and check to see if we are watching for it
            lf(' ' & @computername & stringformat("[%-10.10s]",getuser($a_curractive[$i][1])) & ' ' & $a_curractive[$i][0] & ' / ' & $a_curractive[$i][1] & ' Started')
            for $k = 0 to ubound($a_watchlist,1) - 1
                if $a_curractive[$i][0] = $a_watchlist[$k][0] then
                    ;yes, we are watching for it, now what to do???
                    if $a_watchlist[$k][4] then
                        shellexecute($a_watchlist[$k][1],$a_watchlist[$k][2])
                        lf(" Event: " & @username & @tab & $a_watchlist[$k][1] & $a_watchlist[$k][2] & " initiated by program start [" & $a_curractive[$i][0] & ']')
                    endif
                EndIf
            next
        endif
    next

endfunc

func checkends()

    local $hit
    for $i = 1 to $a_prevactive[0][0]
        $hit = false
        for $j = 1 to $a_curractive[0][0]
            if $a_prevactive[$i][0] = $a_curractive[$j][0] and $a_prevactive[$i][1] = $a_curractive[$j][1] then
                $hit = True
                exitloop
            endif
        next
        if $hit = false then
            ; something ended, log it and see if we are watching for it
            lf(' ' & @computername & stringformat("[%-10.10s]",getuser($a_prevactive[$i][1])) & ' ' & $a_prevactive[$i][0] & ' / ' & $a_prevactive[$i][1] & ' Ended')
            for $k = 0 to ubound($a_watchlist,1) - 1
                if $a_prevactive[$i][0] = $a_watchlist[$k][0] then
                    ;yes, we are watching for it, now what to do???
                    if $a_watchlist[$k][5] then
                        shellexecute($a_watchlist[$k][1],$a_watchlist[$k][2])
                        lf(" Event: " & @username & @tab & $a_watchlist[$k][1] & $a_watchlist[$k][2] & " initiated by program stop [" & $a_prevactive[$i][0] & ']')
                    endif
                EndIf
            next
        endif
    next

endfunc

Func lf($le)
    Local $file
    $file = FileOpen(@scriptdir & '\syslog', 1)
    If $file = -1 Then
        MsgBox(0,"Watcher Error", "Error Unable to open log file")
        exit
    EndIf
    FileWriteLine($file,        @year  & '-' & _
            stringformat("%02s",@MON)  & '-' & _
            stringformat("%02s",@mday) & ' ' & _
            stringformat("%02s",@hour) & ':' & _
            stringformat("%02s",@min)  & ':' & _
            stringformat("%02s",@sec)  &       _
            $le)
    FileClose($file)
EndFunc

func init()

    lf(_stringrepeat('==*==',20))
    lf(' ')
    lf('                                       Starting SYSLOG')
    lf(' ')
    lf(_stringrepeat('==*==',20))
    lf(' ')
    lf(' Options: ')
    lf(' ')
    lf(' Syslog started on ' & @computername & ' at ' & _Now() & ' by ' & @username)
    lf(' ')
    lf(' Currently Running Processes:')
    lf(' ')
    lf(' ' &    stringformat("%-15s",'Computer Name')  & ' ' & _
                stringformat("%-15s",'User Name')      & ' ' & _
                stringformat("%-25s",'Process Name')   & ' ' & _
                stringformat("%-7s",'PID')             & ' ' & _
                stringformat("%-25s",'Start Date')     & ' ' & _
                stringformat("%-25s",'Parent Name')    & ' ' & _
                stringformat("%-10s",'Parent PID'))
    lf(' ' &    _stringrepeat("-",15)                   & ' ' & _
                _stringrepeat("-",15)                   & ' ' & _
                _stringrepeat("-",25)                   & ' ' & _
                _stringrepeat("-",7)                    & ' ' & _
                _stringrepeat("-",25)                   & ' ' & _
                _stringrepeat("-",25)                   & ' ' & _
                _stringrepeat("-",10))

    local $tasks = _pl()

    for $i = 0 to ubound($tasks) - 1
        lf(' ' &    stringformat("%-15s",@computername) & ' ' & _
                    stringformat("%-15s",$tasks[$i][5]) &  ' ' & _
                    stringformat("%-25.25s",$tasks[$i][1]) &  ' ' & _
                    stringformat("%-7s",$tasks[$i][2]) &  ' ' & _
                    stringformat("%-25.25s",$tasks[$i][0]) & ' ' & _
                    stringformat("%-25.25s",$tasks[$i][4]) &  ' ' & _
                    stringformat("%-10s",$tasks[$i][3]))
    next

    lf(' ')

endfunc

func _PL()

    local $wbemFlagReturnImmediately = 0x10
    local $wbemFlagForwardOnly = 0x20
    local $colItems = ""
    local $strComputer = "localhost"

    local $list[1000][45], $i = 1, $x

    $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\")
    $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_Process") ;, "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

    if isobj($colItems) then redim $list[$colitems.count + 1][6]

    If IsObj($colItems) then
       For $objItem In $colItems

            $list[$i][0] =  WMIDateStringToDate($objItem.CreationDate)
            $list[$i][1] =  $objItem.Name
            $list[$i][2] =  $objItem.ProcessId
            $list[$i][3] =  $objItem.ParentProcessId
            $list[$i][4] =  _processgetname($list[$i][3])
            $list[$i][5] =  getuser($list[$i][2])

            $i += 1

        Next
    Else
       Msgbox(0,"WMI Output","No WMI Objects Found for class: " & "Win32_Process" )
    Endif

    return $list

endfunc

Func WMIDateStringToDate($dtmDate)

    Return (StringMid($dtmDate, 5, 2) & "/" & _
    StringMid($dtmDate, 7, 2) & "/" & StringLeft($dtmDate, 4) _
    & " " & StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate,13, 2))
EndFunc

Func MyErrFunc()
    Local $HexNumber=hex($oMyError.number,8)
    Msgbox(0,"","We intercepted a COM Error !" & @CRLF & _
                "Number is: " & $HexNumber & @CRLF & _
                "WinDescription is: " & $oMyError.windescription & @CRLF & _
                "Source is: " & $oMyError.source & @CRLF & _
                "ScriptLine is: " & $oMyError.scriptline)
   $f_COMError = True;
Endfunc

func getuser($pid)

    ; big "up" to ptrex for this routine !!!

    local $hToken, $Data, $aAdjust

    ; Enable "SeDebugPrivilege" privilege for obtain full access rights to another processes
    $hToken = _WinAPI_OpenProcessToken(BitOR($TOKEN_ADJUST_PRIVILEGES, $TOKEN_QUERY))
    _WinAPI_AdjustTokenPrivileges($hToken, $SE_DEBUG_NAME, $SE_PRIVILEGE_ENABLED, $aAdjust)

    ; Retrieve user names for all processes the system
    If Not (@error Or @extended) Then
        $Data = _WinAPI_GetProcessUser($pid)
        If IsArray($Data) Then
            return $Data[0]
        Else
            return ''
        EndIf
    EndIf

    ; Enable SeDebugPrivilege privilege by default
    _WinAPI_AdjustTokenPrivileges($hToken, $aAdjust, 0, $aAdjust)
    _WinAPI_CloseHandle($hToken)

endfunc

func fini()
    Exit
endfunc

func dbg()
    lf(' *** Debugging *** ' & @crlf)
    lf('     Curractive ubound = ' & ubound($a_curractive) & @crlf)
    lf('     Prevactive ubound = ' & ubound($a_prevactive) & @crlf)
    for $i = 0 to ubound($a_curractive) - 1
        lf('     ' & $i & ' - ' & $a_curractive[$i][0] & $a_curractive[$i][1] & @crlf)
    next
    for $i = 0 to ubound($a_prevactive) - 1
        lf('     ' & $i & ' - ' & $a_prevactive[$i][0] & $a_prevactive[$i][1] & @crlf)
    next
endfunc

kylomas

[guinness]

Lol, okay - sorry, I didn't want to be rude, just wrote a feedback Yes, it's a good solution, but not for my problem I should re-think my script again... Theoratically good, however I missed something...

It should make 2 different process list. An older and a current. If they are not the same, then write the difference, and update the old one.

Well what is the purposes of what you want to do?

[Unc3nZureD]

Thanks for both script's, they both work well

Well what is the purposes of what you want to do?

 

I just want to check if one of my program (I mean not mine, but one which I downloaded) starts any "invisible, background" process(es). I just don't trust AV's, it's too easy to hide anything from them.

[guinness]

So use what's wrong with this?

Local $fStarted = UBound(ProcessList("myProg.exe")) > 0

[kylomas]

Thanks for both script's, they both work well

 

I just want to check if one of my program (I mean not mine, but one which I downloaded) starts any "invisible, background" process(es). I just don't trust AV's, it's too easy to hide anything from them.

 

Pretty much what started me writing the script I posted.  Added the "watchlist" crap later...

[guinness]

Hi,

WMI way:

#include <Constants.au3>

Local $oWMIService = ObjGet("winmgmts:\\.\root\CIMV2")
If @error Then
    MsgBox($MB_ICONHAND, Default, "Could not initialize WMI object !")
    Exit 1
EndIf

Local $oSink = ObjCreate("WbemScripting.SWbemSink")
ObjEvent($oSink, "SINK_")

Local $oContext = ObjCreate("WbemScripting.SWbemNamedValueSet")
$oContext.Add("hostname", ".")

$oWMIService.ExecNotificationQueryAsync($oSink, _
        "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'", _
        Default, Default, Default, $oContext)

While 1
    Sleep(10)
WEnd

Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext)
    Local $aObjData[3] = [ _
            $objLatestEvent.TargetInstance.ProcessId, _ ;pid
            $objLatestEvent.TargetInstance.Properties_.item("Name").value, _ ;pname
            $objLatestEvent.TargetInstance.ExecutablePath] ;ppath

    MsgBox($MB_SYSTEMMODAL, Default, "New process:" & @CrLf & _
            "pid: " & $aObjData[0] & @CrLf & _
            "name: " & $aObjData[1] & @CrLf & _
            "path: " & $aObjData[2])
EndFunc   ;==>SINK_OnObjectReady

Edit: Added indents.

Br, FireFox.

 

I used the x86 version of AutoIt and it only displayed a message box once. It also stopped me opening explorer windows for some reason.

[Unc3nZureD]

 

So use what's wrong with this?

Local $fStarted = UBound(ProcessList("myProg.exe")) > 0

 

It only watches one of the processes, isn't it? An exe can easily spawn an "svchost", which is probably "invisible", however it's suspicious when it exactly starts after a specific process (not to mention that svchost shoudl start with windows, not in the middle of it)

 

I used the x86 version of AutoIt and it only displayed a message box once. It also stopped me opening explorer windows for some reason.

 

x86 at me too, and it works well for me. Are you using the Stable or beta Autoit?

Edited July 27, 2013 by Unc3nZureD

[kylomas]

another flavor of WMI way...

expandcollapse popup

;
;
;

#include <date.au3>
#include <misc.au3>

HotKeySet("{ESC}","ESC")

local $oerror = ObjEvent("AutoIt.Error", "_DeBug")

Local $Obj  = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & @ComputerName & "\root\cimv2")
Local $hObj = ObjCreate("WbemScripting.SWbemSink")

If IsObj($Obj) And IsObj($hObj) Then
    ObjEvent($hObj, "SINK_")
    $Obj.ExecNotificationQueryAsync($hObj, "SELECT * FROM __InstanceCreationEvent WITHIN 0.1 WHERE TargetInstance ISA 'Win32_Process'")
    $Obj.ExecNotificationQueryAsync($hObj, "SELECT * FROM __InstanceDeletionEvent WITHIN 0.1 WHERE TargetInstance ISA 'Win32_Process'")
EndIf

Sleep(9999999999)

Func SINK_OnObjectReady($OB)
    local $str,$owner,$ret
    Switch $OB.Path_.Class
        Case "__InstanceCreationEvent"
            $str &= $OB.TargetInstance.ProcessID & "-"
            $str &= $ob.targetinstance.name & "-"
            $str &= $ob.targetinstance.csname & "-"
            $ret = $ob.targetinstance.getowner($owner)
            $str &= $ob.targetinstance.creationdate & "-"
            $str &= $ob.targetinstance.parentprocessid & "-"
            $str &= $ob.targetinstance.executablepath & @cr
            consolewrite("!->> Started  " & $str)
            $str = ""
        Case "__InstanceDeletionEvent"
            $str &= $OB.TargetInstance.ProcessID & "-"
            $str &= $ob.targetinstance.name & "-"
            $str &= _now() & "`"
            $str &= ($ob.targetinstance.kernelmodetime + $ob.targetinstance.usermodetime) / 10000000 & @cr
            consolewrite("+->> Ended  " & $str)
            $str = ""
    EndSwitch
    Return 1
EndFunc

Func _Debug($oError)
    ConsoleWrite( _
            "! ##################### AUTOIT OBJECT ERROR ######################################" & @CRLF & _
            "!                err.number is        : " & @TAB & hex($oError.number,8) & @CRLF & _
            "!                err.scriptline is    : " & @TAB & $oError.scriptline & @CRLF & _
            "!                err.windesc is       : " & @TAB & $oError.windescription & @CRLF & _
            "!                err.desc is          : " & @TAB & $oError.description & @CRLF & _
            "!                err.source is        : " & @TAB & $oError.source & @CRLF & _
            "!                err.retcode is       : " & @TAB & hex($oError.retcode,8) & @CRLF & _
            "! ################################################################################" & @CRLF _
            )
    Return 0
EndFunc

Func ESC()
    Exit(0)
EndFunc

[FireFox]

It also stopped me opening explorer windows for some reason.

It might be something to deal with the Default parameters of the function ExecNotificationQueryAsync or the fact that the event function is blocking with the MsgBox.

[guinness]

I had to restart my system as explorer just stopped responding. Not your fault!

[FireFox]

I had to restart my system as explorer just stopped responding.