gte Posted September 29, 2009 Posted September 29, 2009 Any ideas on how to monitor a machine over the network, and tell when a specific exe reads a specific registry file? HP OpenView ServiceCenter keep alive scriptRemote Desktop Login Script
TurionAltec Posted September 29, 2009 Posted September 29, 2009 Maybe there's some way to automate Sysinternal's Procmon.
gte Posted September 29, 2009 Author Posted September 29, 2009 I was wondering that myself. That's what I used to figure out what is happening I looked through the switches for procmon and didn't see anything through the switches that could be used? I'm wondering if I could use? ObjGet ( "filename" [, "classname"] ) Maybe there's some way to automate Sysinternal's Procmon. HP OpenView ServiceCenter keep alive scriptRemote Desktop Login Script
gte Posted September 29, 2009 Author Posted September 29, 2009 Has anyone ever used autoit to interact with ETW or Event Tracing for Windows? That's what procmon does Here is a link for some C code, but this is a bit over my head I think? http://msdn.microsoft.com/en-us/magazine/cc163437.aspx expandcollapse popup#include <myevents.h> // Header generated from manifest. // Contains MyProviderId and event descriptors. REGHANDLE MyProvRegHandle; ULONG MyInteger; PWCHAR MyString; ULONG MyStringLength; EVENT_DATA_DESCRIPTOR DataDescriptor[2]; ... // Register the ETW provider. Status = EventRegister(&MyProviderId, // ProviderId (GUID) NULL, // Optional Callback NULL, // OPtioanl Callback Context &MyProvRegHandle); // Registration Handle ... // Construct DataDescriptor and write an event with // MyInteger and MyString. EventDataDescCreate(&DataDescriptor[0], // DataDescriptor &MyInteger, // Pointer to the data sizeof(ULONG)); // Size of data EventDataDescCreate(&DataDescriptor[1], &MyString, MyStringLength); Status = EventWrite(MyProvRegHandle, // Registration Handle MyEventDescriptor1, // EventDescriptor 2, // DataDescriptor array size DataDescriptor); // DataDescriptor array ... // Write another event with no user data. if (EventEnabled(MyProvRegHandle, MyEventDescriptor2)) { // Do extra work if enabled and write event. ... Status = EventWrite(MyProvRegHandle, MyEventDescriptor2, 0, NULL); } ... // Unregister the ETW provider. Status = EventUnregister(MyProvRegHandle); HP OpenView ServiceCenter keep alive scriptRemote Desktop Login Script
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now