Jump to content

TechNet Process Monitor script

Recommended Posts


Hello, I am trying to capture the output of ProcMon in realtime, but it seems to keep crashing, and I can't figure out why. Can anyone help? My guess is an conflict between ProcMon conflicting with my script's read request possibly producing an access violation. :/

Thank you!


#Include <WinAPIProc.au3>
#Include <Array.au3>
#include <GuiListView.au3>
Global $sExec

If @OSArch="X64" Then

$iPID=Run($sExec&" /acceptEula /Quiet",@ScriptDir,@SW_SHOW)
Global $aWnd=_WinAPI_EnumProcessWindows($iPID,False)
If Not IsArray($aWnd) Then _Exit()
Global $hWnd
For $i=1 to $aWnd[0][0]
    If $aWnd[$i][1]="PROCMON_WINDOW_CLASS" Then
Global $hListView=ControlGetHandle($hWnd,"","SysListView321")
Local $iMax=0
Local $iLast=0
While Sleep(1000)
    If $iMax>0 Then
        For $i=$iLast to $iMax

Func _Exit()

What is what? What is what.

Share this post

Link to post
Share on other sites

The problem is that this is a virtual listview. This can be verified by examining the listview style with the AutoIt Window Info tool. You'll see that the LVS_OWNERDATA (0x1000) flag is set which means that it's a virtual listview.

In a virtual listview data isn't stored directly in the listview but in an underlying data source which is normally an array, a data structure, a file or a database.

Because data isn't stored in the listview many of the _GUICtrlListView_Get/Set functions are not working. You have to manipulate the data source directly. But this requires that you have access to the data source.

The selected state of an item is one of the few informations which is stored directly in the listview. This is necessary to be able to draw the dark blue background color for selected items. Code like this should be working (start Process Monitor in advance):

#include <GuiListView.au3>

$hListView=ControlGetHandle( WinGetHandle( "[CLASS:PROCMON_WINDOW_CLASS]" ), "", "SysListView321" )
For $i = 0 To _GUICtrlListView_GetItemCount( $hListView ) - 1
  ConsoleWrite( $i & ": " & _GUICtrlListView_GetItemState( $hListView, $i, $LVIS_SELECTED ) & @CRLF )

It should print 2 for a selected item and 0 for a non-selected item.

The UI Automation framework has some support for virtual listviews. But only for visible items. To get information for an item you have to scroll it into position so that it's visible. This will be time consuming for many items.

Share this post

Link to post
Share on other sites

Thanks for your feedback LarsJ, I have been successfully able to parse the list on a 32 bit OS using the script I posted. I will take your input for consideration on other project i run into troubles with, thank you.

What is what? What is what.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now