Process Logger Service

Discussion in 'other anti-malware software' started by Mister X, Mar 17, 2017.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,068
    Location:
    U.S.A. (South)
    Good deal. "Click"
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,993
    Location:
    At the door ...
    OK. The fix makes it consistent, but my preference is always year.month.day from a sorting perspective. :)
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,508
    Good idea.
    @novirusthanks
    Is it possible to let the user customize the date-format?
    For example:
    Code:
    date_format=yyyy-mm-dd
    So that Process Logger Service is respecting the setting (set from the user) and is using it accordingly.

    Or, is it possible to let it use a format according to the user locale setting. (Different country = different locale, different date-format)
    If my locale is set to dd.mm.yyyy, Process Logger Service is using this format automatically.
     
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,993
    Location:
    At the door ...
    And if this could apply not only to process creation and termination date formats, but also the log name, date.log.
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,508
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,993
    Location:
    At the door ...
    I may have asked this before.

    What is the correct method of updating these services? Can one just stop the service, copy the new (unzipped) service.exe and config.ini over the previous and restart?
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,508
    You can execute uninstall.bat, which is deleting the driver, stopping and deleting the service.
    But it can be sufficient to just stop the service. Then copy the new executable ProcLoggerSvc.exe and overwrite the existing one. Now start the service.

    Regarding overwriting the config.ini:
    In the new config.ini is mentioned: "DeleteLogsOlderThanNDays=30"
    If you have a value of 0 in your existing config, and if you are now overwriting your config.ini with the new one, your old logs will be deleted.
    So, after you have copied it, make sure to modify the config.ini to your needs before you start the service.
     
  8. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,993
    Location:
    At the door ...
    Thanks @mood. I actually used your second method, and re-edited my config.ini.
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,508
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,508
    @novirusthanks
    Regarding System processes, Process Logger Service and ERP are showing different results, for example:
    Code:
    Process Logger Service v1.5:
    Process: C:\Windows\System32\smartscreen.exe
    System Process: False
    Process: C:\Windows\System32\reg.exe
    System Process: False
    Process: C:\Windows\System32\conhost.exe
    System Process: False
    
    ERP (latest beta)
    Process   : C:\Windows\System32\smartscreen.exe
    Action    : System file
    Process   : C:\Windows\System32\reg.exe
    Action    : System file
    Process   : C:\Windows\System32\conhost.exe
    Action    : System file
    
    Maybe it isn't a good idea to compare logfiles of two different products, but shouldn't Process Logger Service detect these processes as a System Process too?
    These are only examples, there are a lot more processes which are not detected as a System Process.
     
  11. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,204
    Location:
    Mexico
    I think they should. A system process is a system process no matter what imho. Nice finding. :thumb:
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,508
    @novirusthanks
    Request:
    a) maybe "Parent Signer:" could be added (to have a little bit more information about processes)
    b) driver "ProcLoggerDrv.sys" co-signed by Microsoft
    c) and #110 (correct identification of System Processes)
     
  13. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,204
    Location:
    Mexico
    @novirusthanks I second this:
     
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    969
    Location:
    Italy
    @mood @Mister X

    We'll work on Process Logger Service in a few days and yes we'll add that 3 requests\fixes :)
     
  15. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,204
    Location:
    Mexico
    Great. Thanks very much.
     
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    811
    Trying to install on Windows 10 x64 RS3
    Create service was successful.
    But then cmd displays this error:
    C:\Program Files\ProcessLoggerService\Service\64-bit\ProcLoggerSvc>sc start ProcLoggerSvc
    [SC] StartService FAILED 2:

    The system cannot find the file specified.

    Is there maybe an issue of co-signed driver?
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    811
    Never mind
    1 The error was because I did not run copy the right folder to the right path before running it
    2 yes, there is an issue of co-signed drivers
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,508
    It is not yet co-signed but will be soon: #114
     
  19. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    340
    Location:
    united kingdom
    I had the same problem with MZWriteScanner. Nowhere did it say to copy the ini file to the Windows directory before starting the service.
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,508
    If we look at the following lines in config.ini/install.bat:
    Code:
    Config.ini
    LogPath=C:\ProcLoggerSvc\Logs
    ExclusionsPath=C:\ProcLoggerSvc\Exclusions
    
    install.bat
    :: Install the service
    sc create ProcLoggerSvc binPath= "C:\ProcLoggerSvc\Service\ProcLoggerSvc.exe" DisplayName= "ProcLoggerSvc Service" start= auto group= "Event Log"
    
    ... the folder "ProcLoggerSvc" must be copied to C:\

    A subdirectory on C:\ is not the ideal place, but what about for example: "C:\Program Files\NoVirusThanks\ProcLoggerSvc" ?
    No problem :)
    If it is currently running it must be uninstalled first (uninstall.bat), then some lines must be edited:
    Code:
    Config.ini
    LogPath=C:\Program Files\NoVirusThanks\ProcLoggerSvc\Logs
    ExclusionsPath=C:\Program Files\NoVirusThanks\ProcLoggerSvc\Exclusions
    
    install.bat
    :: Install the service
    sc create ProcLoggerSvc binPath= "C:\Program Files\NoVirusThanks\ProcLoggerSvc\Service\ProcLoggerSvc.exe" DisplayName= "ProcLoggerSvc Service" start= auto group= "Event Log"
    
    In addition the directory ProcLoggerSvc on C: must me moved to C:\Program Files\NoVirusThanks\ (Result: C:\Program Files\NoVirusThanks\ProcLoggerSvc)
    Now the configuration and the directory are "in sync" and the modified install.bat should be used to install it now.
     
  21. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    969
    Location:
    Italy
    Released a new version v1.6:
    http://www.novirusthanks.org/products/process-logger-service/

    [22-March-2018] v1.6.0.0

    + Both 32-bit and 64-bit drivers are now co-signed by Microsoft
    + Executable files are digitally signed with both SHA1 and SHA256 code sign
    + Now the program works fine when Secure Boot is enabled
    + Fixed "System Process: False" when it should be True
    + Show Parent Signer, Integrity Level, Parent System File, etc in log file
    + Minor fixes and optimizations

    Here is an example log file on Windows 7 VM:

    Code:
    [Process Creation]
    
    03/23/2018 02:11:48
    Process: [3924] C:\Windows\System32\notepad.exe
    Username/Domain: Dev/VM-0001
    CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\ProcLoggerSvc\Logs\Logs\03-23-2018.log
    MD5 Hash: F2C7BB8ACC97F92E987A2D4087D021B1
    Bitness: 64-bit
    Publisher: Microsoft Corporation
    Description: Blocco note
    Version: 6.1.7600.16385
    Integrity Level: Medium
    System File: True
    Protected Process: False
    Parent: [2864] C:\Windows\explorer.exe
    Parent CommandLine: C:\Windows\Explorer.EXE
    Parent Integrity: Medium
    Parent System File: True
    Parent Protected Process: False
    
    @mood

    Added all 3 requests.

     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,068
    Location:
    U.S.A. (South)
    Whoa!! Many thanks over again.
     
  23. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,204
    Location:
    Mexico
    Thank you.
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,508
    Very nice, thanks :thumb:
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,993
    Location:
    At the door ...
    What does the free version lack?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.