Process Logger Svc is a service-only software application that monitors for processes executed in the system and saves events to a custom log file. The program saves all process-related information, such as the process name, process ID, parent process, file company name, file description, command-line string, and much more. This service version is specifically built for companies that want to install it on thousands of PCs, it has no GUI and it runs as a service in the background, thus supporting Standard User Account, Fast User Switching, Multi-Users etc. You can also create custom exclusion rules (supporting wildcards) to not log specific events. http://www.novirusthanks.org/products/process-logger-service/
And I'm struggling with this in the last hour. Any help appreciated. For instance, how to create the right cmd line to exclude in the db file: Code: [Process Creation] 03/17/2017 11:55:34 Process: [6768] C:\Windows\System32\conhost.exe Username/Domain: MrX/MrX-PC CommandLine: \??\C:\Windows\system32\conhost.exe 0xffffffff MD5 Hash: D5669294F78A7D48C318EF22D5685BA7 Bitness: 64-bit Publisher: Microsoft Corporation Description: Console Window Host Version: 6.3.9600.17415 Integrity Level: Medium System Process: False Protected Process: False Metro Process: False Parent: [2672] C:\Windows\SysWOW64\cmd.exe Parent CommandLine: C:\Windows\system32\cmd.exe /c sc query cmdScanner
You only have to add the name of the process, which you want to exclude, to the file Exclusions.db (Process Creations and Process Terminations are excluded) The service is reading the file "in realtime", you don't have to restart the service after making any change. To exclude all svchost.exe-processes: To exclude only the specific process in the System32-directory, add: Exlusion of all files with svc in its name:
I tried it in Shadow Defender and a no go. Had to run out of the sandbox. Just incase some of you try it in a sandbox, it may not work. And the log file builds up really fast with svchost entries. Doesn't some malware use this exe though? If so maybe it is not a good idea to exclude it from the logs, even if it takes up much of the log. Brumm What do you mean by ads for upcoming commercial software?
Yes, I would think this would make it impractical to use, for me... I have a host of svhost.exe activity going on, all the time. I could follow it and understand in XP, but Windows 10, never.
But sorry to come again with the same question. I'm trying to figure out how to get the correct syntax for a line, to exclude. A line which contains parent and child processes, to exclude. Just take a look once again at the example I mentioned above: [Process Creation] 03/17/2017 11:55:34 Process: [6768] C:\Windows\System32\conhost.exe Username/Domain: MrX/MrX-PC CommandLine: \??\C:\Windows\system32\conhost.exe 0xffffffff MD5 Hash: D5669294F78A7D48C318EF22D5685BA7 Bitness: 64-bit Publisher: Microsoft Corporation Description: Console Window Host Version: 6.3.9600.17415 Integrity Level: Medium System Process: False Protected Process: False Metro Process: False Parent: [2672] C:\Windows\SysWOW64\cmd.exe Parent CommandLine: C:\Windows\system32\cmd.exe /c sc query cmdScanner
I tried it under Shadow Defender, it works. That's the goal for using Shadow Defender to install anything on a real machine and get rid of it just by restarting the machine. Moreover, I installed it out of shadow mode, next I enter in shadow mode and it perfectly works and survives with no issues after machine reboot. Of course is not a good idea to exclude a process like svchost. But is a good idea to exclude others. I actually set the log file into another partition to prevent SSD excessive wear.
When I tested the one that was published in June of 2016, it did not log. I let Andreas know about it. He said he had to make a minor fix for that version to log on Windows 10.
You can only specify a process or path on a line to exclude. You have to look at "Process:" if you want to make exclusions. To hide the above mentioned Process Creation: Or, to exclude all executables in C:\Windows\System32\ and subfolders:
Here's a direct link from Andreas' site: http://downloads.novirusthanks.org/files/ProcessLoggerService.zip Hope you won't fine issues to download.
Going throught the log-files of ERP is a pain, Process Logger Service gives a better overview of launced Processes (and more information) On a low-end PC i can see: constant CPU-usage of the service: 0,12% Launching of small executables: 3-4% CPU without checking of checksums (ComputeMD5Hash=n via config.ini): 2-3% CPUNegligible impact The size of the logfile for each day varies between 2 and 6 MB. It depends...
This.. https://www.wilderssecurity.com/threads/new-antiexecutable-novirusthanks-exe-radar-pro.300552/ ERP =Exe Radar Pro
Thanks @Mister X. Some Firefox add-on is messing with it, I get 'File access error. ....'. Will have to look into it. But I've got it now, through Firefox with different profile. Will play with it in due course, if only to confirm it doesn't work on (my) Win 10.
I have been logging for 4 days now. What about Windows 10 is not suppose to be working? Windows 10 home insider builds. Admin account.
@novirusthanks, and @Lockdown - it is working on my primary Win 10 Pro laptop. Andreas - would it be possible to add a parameter to config.ini to delete entries after say, n days, to make the log file 'self-cleaning'? Edit: Does it create a new .log file every day? @mood @Mister X Are there any non-vulnerable processes that re-occur so frequently that they could obviously and safely be excluded, or is it best to just run as-is (no exclusions)?
one logfile for each day. If i exclude files which are running frequently and are non-vulnerable, then the size of the logfile would be only a few kb each day For me the purpose for running the service is to log everything. And after the system has crashed, with the help of the logs i can find out what has happened right before the crash. The logfiles can be used for "research purposes",etc.
