堆栈内存溢出
  简体   繁体   English

Procmon的命令行版本

[英]Command line version of Procmon

 原文  2018-10-09 16:50:26       windows/ process/ sysinternals/ procmon

问题描述

I'm using Windows 7 and I'd like to monitor for new Process Create events. 我正在使用Windows 7,我想监视新的Process Create事件。 (ie get an entry for each process that's created, with full details about it.) I succeeded in doing this in Procmon, but I want to do it in the shell, and get text output without a GUI. (即为每个创建的进程获取一个条目,并提供有关它的完整详细信息。)我在Procmon中成功完成了此操作,但我想在shell中执行此操作,并在没有GUI的情况下获取文本输出。

Is there a CLI command that does that? 是否有CLI命令执行此操作? eg I could tell it "Please list all events of the type so-and-so with a path of so-and-so" and it'll run indefinitely, writing details of these processes to stdout? 例如,我可以告诉它“请列出所有类型的事件,某某路径是某某某某”并且它将无限期地运行,将这些过程的详细信息写入stdout?

2 个解决方案

解决方案1
 0  2018-10-18 12:07:33

You can build your own using the Microsoft.Diagnostics.Tracing.TraceEvent nuget package . 您可以使用Microsoft.Diagnostics.Tracing.TraceEvent nuget包构建自己的 It's a wrapper over ETW (Event Tracing for Windows) events, and its developed my Microsoft. 它是ETW(Windows事件跟踪)事件的包装器,它开发了我的Microsoft。

Here is some sample C# Console Application code that displays all process Start and Stop events: 以下是一些示例C#控制台应用程序代码,它显示了所有进程的Start和Stop事件: 

using System;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;

namespace ProcMon
{
    class Program
    {
        static void Main(string[] args)
        {
            if (TraceEventSession.IsElevated() != true)
            {
                Console.WriteLine("To turn on ETW events you need to be Administrator, please run from an Admin process.");
                return;
            }

            using (var session = new TraceEventSession("whatever"))
            {
                // handle console CTRL+C gracefully
                Console.CancelKeyPress += (sender, e) => session.Stop();

                // we filter on events we need
                session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process);

                session.Source.Kernel.ProcessStart += data =>
                {
                    Console.WriteLine("START Id:" + data.ProcessID + " Name:" + data.ProcessName);
                };

                session.Source.Kernel.ProcessStop += data =>
                {
                    // stop has no name
                    Console.WriteLine("STOP Id:" + data.ProcessID);
                };

                // runs forever, press CTRL+C to stop
                session.Source.Process();
            }
        }
    }
}

解决方案2
 -1 已采纳  2018-10-19 08:11:53

Wtrace is okay: https://github.com/lowleveldesign/wtrace/ Wtrace没关系: https//github.com/lowleveldesign/wtrace/

I was able to use it to find the creation of a new process and see the command line arguments. 我能够使用它来查找新进程的创建并查看命令行参数。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Procmon命令行不保存过滤的输出 - Procmon command line does not save filtered output 如何使用命令行更改 grails 版本? - How to change the grails version using command line? 在 Windows 命令行上查找 PHP 版本 - Find PHP version on windows command line 从 windows 命令行安装的 WDK 版本 - Installed WDK Version from windows command line JMeter命令行-Linux版本与Windows版本 - JMeter command line - linux version vs windows version 是否有命令行命令用于验证安装的.NET版本 - Is there a command line command for verifying what version of .NET is installed javac 版本和 java 版本在命令行上显示不同 - javac version and java version show different on command line strace或procmon等效于Java - strace or procmon equivalent for java 如何将Maven项目版本添加到Windows命令行或批处理文件? - How to get Maven project version to the Windows command line or Batch file? 如何在 5.1 版的命令行窗口中查找大文件 - how to find large files in command line windows for version 5.1
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM