OK. The fix makes it consistent, but my preference is always year.month.day from a sorting perspective.
Good idea. @novirusthanks Is it possible to let the user customize the date-format? For example: Code: date_format=yyyy-mm-dd So that Process Logger Service is respecting the setting (set from the user) and is using it accordingly. Or, is it possible to let it use a format according to the user locale setting. (Different country = different locale, different date-format) If my locale is set to dd.mm.yyyy, Process Logger Service is using this format automatically.
And if this could apply not only to process creation and termination date formats, but also the log name, date.log.
Process Logger Service v1.4 Released (21 May 2017) http://www.novirusthanks.org/products/process-logger-service/
I may have asked this before. What is the correct method of updating these services? Can one just stop the service, copy the new (unzipped) service.exe and config.ini over the previous and restart?
You can execute uninstall.bat, which is deleting the driver, stopping and deleting the service. But it can be sufficient to just stop the service. Then copy the new executable ProcLoggerSvc.exe and overwrite the existing one. Now start the service. Regarding overwriting the config.ini: In the new config.ini is mentioned: "DeleteLogsOlderThanNDays=30" If you have a value of 0 in your existing config, and if you are now overwriting your config.ini with the new one, your old logs will be deleted. So, after you have copied it, make sure to modify the config.ini to your needs before you start the service.
Process Logger Service v1.5 Released (13 July 2017) http://www.novirusthanks.org/products/process-logger-service/
@novirusthanks Regarding System processes, Process Logger Service and ERP are showing different results, for example: Code: Process Logger Service v1.5: Process: C:\Windows\System32\smartscreen.exe System Process: False Process: C:\Windows\System32\reg.exe System Process: False Process: C:\Windows\System32\conhost.exe System Process: False ERP (latest beta) Process : C:\Windows\System32\smartscreen.exe Action : System file Process : C:\Windows\System32\reg.exe Action : System file Process : C:\Windows\System32\conhost.exe Action : System file Maybe it isn't a good idea to compare logfiles of two different products, but shouldn't Process Logger Service detect these processes as a System Process too? These are only examples, there are a lot more processes which are not detected as a System Process.
@novirusthanks Request: a) maybe "Parent Signer:" could be added (to have a little bit more information about processes) b) driver "ProcLoggerDrv.sys" co-signed by Microsoft c) and #110 (correct identification of System Processes)
@mood @Mister X We'll work on Process Logger Service in a few days and yes we'll add that 3 requests\fixes
Trying to install on Windows 10 x64 RS3 Create service was successful. But then cmd displays this error: C:\Program Files\ProcessLoggerService\Service\64-bit\ProcLoggerSvc>sc start ProcLoggerSvc [SC] StartService FAILED 2: The system cannot find the file specified. Is there maybe an issue of co-signed driver?
Never mind 1 The error was because I did not run copy the right folder to the right path before running it 2 yes, there is an issue of co-signed drivers
I had the same problem with MZWriteScanner. Nowhere did it say to copy the ini file to the Windows directory before starting the service.
If we look at the following lines in config.ini/install.bat: Code: Config.ini LogPath=C:\ProcLoggerSvc\Logs ExclusionsPath=C:\ProcLoggerSvc\Exclusions install.bat :: Install the service sc create ProcLoggerSvc binPath= "C:\ProcLoggerSvc\Service\ProcLoggerSvc.exe" DisplayName= "ProcLoggerSvc Service" start= auto group= "Event Log" ... the folder "ProcLoggerSvc" must be copied to C:\ A subdirectory on C:\ is not the ideal place, but what about for example: "C:\Program Files\NoVirusThanks\ProcLoggerSvc" ? No problem If it is currently running it must be uninstalled first (uninstall.bat), then some lines must be edited: Code: Config.ini LogPath=C:\Program Files\NoVirusThanks\ProcLoggerSvc\Logs ExclusionsPath=C:\Program Files\NoVirusThanks\ProcLoggerSvc\Exclusions install.bat :: Install the service sc create ProcLoggerSvc binPath= "C:\Program Files\NoVirusThanks\ProcLoggerSvc\Service\ProcLoggerSvc.exe" DisplayName= "ProcLoggerSvc Service" start= auto group= "Event Log" In addition the directory ProcLoggerSvc on C: must me moved to C:\Program Files\NoVirusThanks\ (Result: C:\Program Files\NoVirusThanks\ProcLoggerSvc) Now the configuration and the directory are "in sync" and the modified install.bat should be used to install it now.
Released a new version v1.6: http://www.novirusthanks.org/products/process-logger-service/ [22-March-2018] v1.6.0.0 + Both 32-bit and 64-bit drivers are now co-signed by Microsoft + Executable files are digitally signed with both SHA1 and SHA256 code sign + Now the program works fine when Secure Boot is enabled + Fixed "System Process: False" when it should be True + Show Parent Signer, Integrity Level, Parent System File, etc in log file + Minor fixes and optimizations Here is an example log file on Windows 7 VM: Code: [Process Creation] 03/23/2018 02:11:48 Process: [3924] C:\Windows\System32\notepad.exe Username/Domain: Dev/VM-0001 CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\ProcLoggerSvc\Logs\Logs\03-23-2018.log MD5 Hash: F2C7BB8ACC97F92E987A2D4087D021B1 Bitness: 64-bit Publisher: Microsoft Corporation Description: Blocco note Version: 6.1.7600.16385 Integrity Level: Medium System File: True Protected Process: False Parent: [2864] C:\Windows\explorer.exe Parent CommandLine: C:\Windows\Explorer.EXE Parent Integrity: Medium Parent System File: True Parent Protected Process: False @mood Added all 3 requests.