Process Logger Service

Discussion in 'other anti-malware software' started by Mister X, Mar 17, 2017.

  1. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,552
    Location:
    Mexico
    Process Logger Svc is a service-only software application that monitors for processes executed in the system and saves events to a custom log file. The program saves all process-related information, such as the process name, process ID, parent process, file company name, file description, command-line string, and much more. This service version is specifically built for companies that want to install it on thousands of PCs, it has no GUI and it runs as a service in the background, thus supporting Standard User Account, Fast User Switching, Multi-Users etc. You can also create custom exclusion rules (supporting wildcards) to not log specific events.

    http://www.novirusthanks.org/products/process-logger-service/
     
  2. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,552
    Location:
    Mexico
    And I'm struggling with this in the last hour. Any help appreciated. :sick:

    For instance, how to create the right cmd line to exclude in the db file:
    Code:
    [Process Creation]
    
    03/17/2017 11:55:34
    Process: [6768] C:\Windows\System32\conhost.exe
    Username/Domain: MrX/MrX-PC
    CommandLine: \??\C:\Windows\system32\conhost.exe 0xffffffff
    MD5 Hash: D5669294F78A7D48C318EF22D5685BA7
    Bitness: 64-bit
    Publisher: Microsoft Corporation
    Description: Console Window Host
    Version: 6.3.9600.17415
    Integrity Level: Medium
    System Process: False
    Protected Process: False
    Metro Process: False
    Parent: [2672] C:\Windows\SysWOW64\cmd.exe
    Parent CommandLine: C:\Windows\system32\cmd.exe /c sc query cmdScanner
    
     
    Last edited: Mar 17, 2017
  3. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,276
    You only have to add the name of the process, which you want to exclude, to the file Exclusions.db
    (Process Creations and Process Terminations are excluded)
    The service is reading the file "in realtime", you don't have to restart the service after making any change.

    To exclude all svchost.exe-processes:
    To exclude only the specific process in the System32-directory, add:
    Exlusion of all files with svc in its name:
     
  4. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,058
    upcoming ads for commercial software?

    advantages to sysinternals process monitor?
     
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,289
    I tried it in Shadow Defender and a no go. Had to run out of the sandbox. Just incase some of you try it in a sandbox, it may not work.

    And the log file builds up really fast with svchost entries. Doesn't some malware use this exe though? If so maybe it is not a good idea to exclude it from the logs, even if it takes up much of the log.

    Brumm

    What do you mean by ads for upcoming commercial software?
     
  6. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,236
    Yes, I would think this would make it impractical to use, for me...

    I have a host of svhost.exe activity going on, all the time. I could follow it and understand in XP, but Windows 10, never.

    NVT_Process Logger_01.JPG
     
  7. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,552
    Location:
    Mexico
    Thanks. I got this.
     
  8. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,552
    Location:
    Mexico
    But sorry to come again with the same question. I'm trying to figure out how to get the correct syntax for a line, to exclude. A line which contains parent and child processes, to exclude. Just take a look once again at the example I mentioned above:

    [Process Creation]

    03/17/2017 11:55:34
    Process: [6768] C:\Windows\System32\conhost.exe
    Username/Domain: MrX/MrX-PC
    CommandLine: \??\C:\Windows\system32\conhost.exe 0xffffffff
    MD5 Hash: D5669294F78A7D48C318EF22D5685BA7
    Bitness: 64-bit
    Publisher: Microsoft Corporation
    Description: Console Window Host
    Version: 6.3.9600.17415
    Integrity Level: Medium
    System Process: False
    Protected Process: False
    Metro Process: False
    Parent: [2672] C:\Windows\SysWOW64\cmd.exe
    Parent CommandLine: C:\Windows\system32\cmd.exe /c sc query cmdScanner
     
    Last edited: Mar 17, 2017
  9. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,236
    Don't be sorry....we'll all learn.:)
     
  10. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,552
    Location:
    Mexico
    I tried it under Shadow Defender, it works. That's the goal for using Shadow Defender to install anything on a real machine and get rid of it just by restarting the machine. Moreover, I installed it out of shadow mode, next I enter in shadow mode and it perfectly works and survives with no issues after machine reboot.

    Of course is not a good idea to exclude a process like svchost. But is a good idea to exclude others. I actually set the log file into another partition to prevent SSD excessive wear.
     
  11. Lockdown

    Lockdown Developer

    Joined:
    Oct 28, 2016
    Posts:
    697
    Location:
    AppGuard LLC, Virginia, U.S.
    It doesn't log on Windows 10; Andreas has to make a small fix to resolve it.
     
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,289
    It seems to be logging fine on my Windows 10 machine, but I use insider builds.
     
  13. Lockdown

    Lockdown Developer

    Joined:
    Oct 28, 2016
    Posts:
    697
    Location:
    AppGuard LLC, Virginia, U.S.
    When I tested the one that was published in June of 2016, it did not log. I let Andreas know about it. He said he had to make a minor fix for that version to log on Windows 10.
     
  14. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,276
    You can only specify a process or path on a line to exclude. You have to look at "Process:" if you want to make exclusions.
    To hide the above mentioned Process Creation:
    Or, to exclude all executables in C:\Windows\System32\ and subfolders:
     
  15. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,552
    Location:
    Mexico
    Here's a direct link from Andreas' site:
    http://downloads.novirusthanks.org/files/ProcessLoggerService.zip

    Hope you won't fine issues to download.
     
  16. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,276
    Going throught the log-files of ERP is a pain, Process Logger Service gives a better overview of launced Processes (and more information)

    On a low-end PC i can see:
    constant CPU-usage of the service: 0,12%
    Launching of small executables: 3-4% CPU
    without checking of checksums (ComputeMD5Hash=n via config.ini): 2-3% CPU​
    Negligible impact ;)

    The size of the logfile for each day varies between 2 and 6 MB. It depends...
     
  17. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,289
    What is ERP again?
     
  18. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    8,445
    Location:
    England
  19. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,289
    Thanks stapp.
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,909
    Location:
    Cape Town, South Africa
    Thanks @Mister X. Some Firefox add-on is messing with it, I get 'File access error. ....'. Will have to look into it.
    But I've got it now, through Firefox with different profile.
    Will play with it in due course, if only to confirm it doesn't work on (my) Win 10.
     
  21. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    739
    Location:
    Italy
    @paulderdash

    Please let me know if ti works fine on Windows 10.
     
  22. Lockdown

    Lockdown Developer

    Joined:
    Oct 28, 2016
    Posts:
    697
    Location:
    AppGuard LLC, Virginia, U.S.
    I sent you updated video and images of the issue I am seeing on Win 10. Did you get them ?
     
  23. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,289
    I have been logging for 4 days now. What about Windows 10 is not suppose to be working? Windows 10 home insider builds. Admin account.
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,909
    Location:
    Cape Town, South Africa
    @novirusthanks, and @Lockdown - it is working on my primary Win 10 Pro laptop.

    Andreas - would it be possible to add a parameter to config.ini to delete entries after say, n days, to make the log file 'self-cleaning'?
    Edit: Does it create a new .log file every day?

    @mood @Mister X Are there any non-vulnerable processes that re-occur so frequently that they could obviously and safely be excluded, or is it best to just run as-is (no exclusions)?
     
    Last edited: Mar 20, 2017
  25. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,276
    ProcessLoggerService_log.png
    one logfile for each day.
    If i exclude files which are running frequently and are non-vulnerable, then the size of the logfile would be only a few kb each day :ninja:
    For me the purpose for running the service is to log everything.
    And after the system has crashed, with the help of the logs i can find out what has happened right before the crash.
    The logfiles can be used for "research purposes",etc.
     
Loading...