Last time I discussed how to use logman and the kernel file provider to look at what files a process used.
Now, let's say that you're also interested in processes that may have been created. For example, if you have a number of tools in a batch file, the batch file itself is interpreted by cmd.exe, but each of the tools will be its own process (unless it's something like dir
, which cmd.exe takes care on its own).
This is really just a variation on last time's solution: set up a trace with the right provider, then go look for the data you're interested in.
The provider is a different one, and that's about it.
logman create trace myfiles -o C:\Users\Public\myfiles -p Microsoft-Windows-Kernel-Process
If you want to trace files at the same time, you can start combining providers into a file and use the -pf
argument.
pushd C:\Users\Public
echo Microsoft-Windows-Kernel-Process > myproviders.txt
echo Microsoft-Windows-Kernel-File >> myproviders.txt
logman create trace myfiles -o C:\Users\Public\myfiles -pf myproviders.txt
Then start and proceed as before.
The data we're interested in is the following:
...
$q = "/Events/e:Event[e:RenderingInfo/e:Task = 'ProcessStart']/e:EventData/e:Data"
$doc.SelectNodes($q, $nsmgr)
We're looking for ProcessStart tasks. Here I'm returning the whole Data payload, because you'll be interested in at least the following.
\Device\HarddiskVolume4\Windows\System32\cmd.exe
)The other event you might find interesting is the task 'ProcessStop', which has the following interesting fields (among others).
Happy tracing!
Tags: debugging