Process Monitor is a tool from Windows Sysinternals, part of the Microsoft TechNet website. The tool monitors and displays in real-time all file system activity on a Microsoft Windows operating system. Process Monitor monitors and records all actions attempted against the Microsoft Windows Registry. Process Monitor can be used to detect failed attempts to read and write registry keys. It also allows for filtering on specific keys, processes, process IDs, and values. In addition it shows how applications use files and DLLs, detects some critical errors in system files and more.
Overview of Process Monitor Capabilities
Process Monitor includes powerful monitoring and filtering capabilities, including:
- More data captured for operation input and output parameters
- Non-destructive filters allow you to set filters without losing data
- Capture of thread stacks for each operation make it possible in many cases to identify the root cause of an operation
- Reliable capture of process details, including image path, command line, user and session ID
- Configurable and moveable columns for any event property
- Filters can be set for any data field, including fields not configured as columns
- Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data
- Process tree tool shows relationship of all processes referenced in a trace
- Native log format preserves all data for loading in a different Process Monitor instance
- Process tooltip for easy viewing of process image information
- Detail tooltip allows convenient access to formatted data that doesn’t fit in the column
- Cancellable search
- Boot time logging of all operations
Easefilter Filter Driver SDK
You can develop the application to implement the same features of the process monitor tool with EaseFilter Process Monitor SDK and Registry Monitor SDK. Easefilter Filter Driver SDK is a kernel-mode driver that filters process/thread creation and termination, it provides you an easy way to develop Windows application for the Windows process monitoring and protection. With the EaseFilter Process Filter Driver, it enables your application to prevent the untrusted executable binaries ( malwares) from being launched, protect your data being damaged by the untrusted processes. It also enables your application to get the callback notification for the process/thread creation or termination, from the new process information you can get the parent process Id and thread Id of the new created process, you also can get the exact file name that is used to open the executable file and the command line that is used to execute the process if it is available.
To get the notification of the new process creation, enable the flag “PROCESS_CREATION_NOTIFICATION”, if you want to get the notification of the process termination, enable the flag “PROCESS_TERMINATION_NOTIFICATION”, if you want to get the notification of the process handle was created or duplicated, enable the flag “PROCESS_HANDLE_OP_NOTIFICATION”, if you want to get the notification of the new thread creation, enable the flag “THREAD_CREATION_NOTIFICATION”, if you want to get the notification of the thread termination, enable the flag “THREAD_TERMINIATION_NOTIFICATION”, if you want to get the notification of the thread handle was created or duplicated, enable the flag “THREAD_HANDLE_OP_NOTIFICATION”.