forum.vdsworld.com Forum Index forum.vdsworld.com
Visit VDSWORLD.com
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Monitor process creation

 
Post new topic   Reply to topic    forum.vdsworld.com Forum Index -> General Help
View previous topic :: View next topic  
Author Message
Max
Newbie


Joined: 24 Jul 2011
Posts: 20
PostPosted: Thu Apr 05, 2012 3:16 pm    Post subject: Monitor process creation Reply with quote
This below is a vbscript that monitor new process in a system.

Code:
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colMonitoredProcesses = objWMIService. _       
    ExecNotificationQuery("select * from __instancecreationevent " _
        & " within 1 where TargetInstance isa 'Win32_Process'")
i = 0
Do While i = 0
    Set objLatestProcess = colMonitoredProcesses.NextEvent
    Wscript.Echo objLatestProcess.TargetInstance.Name
Loop


Is there any similar coding in vds using the above method? Question

Thank you
Back to top
View user's profile Send private message
Garrett
Moderator Team


Joined: 04 Oct 2001
Posts: 2149
Location: A House
PostPosted: Thu Apr 05, 2012 4:25 pm    Post subject: Reply with quote
You can monitor processes with VDS yes. Look at the LIST command in the help file. There's an option for LIST for checking processes.
_________________
'What you do not want done to yourself, do not do to others.' - Confucius (550 b.c. to 479 b.c.)
Back to top
View user's profile Send private message
Max
Newbie


Joined: 24 Jul 2011
Posts: 20
PostPosted: Thu Apr 05, 2012 5:08 pm    Post subject: Reply with quote
Thanks Garrett. Smile , I know about the list feature, list winlist and list tasklist but what I really like to know is, if theres a simlar monitor VDS method using the vbscript method above. Question
Back to top
View user's profile Send private message
Aslan
Valued Contributor
Valued Contributor


Joined: 31 May 2001
Posts: 589
Location: Memphis, TN USA
PostPosted: Thu Apr 05, 2012 11:20 pm    Post subject: Reply with quote
Only if you have the GadgetX extension.

The following is an example of being notified when there is a new event log event using the GadgetX extension.
Code:
Title WinEventLogCollector
  External GadgetX.dll
  #DEFINE COMMAND,GadgetX,DEFINE,OLE,Set
  #DEFINE FUNCTION,GadgetX,OLE,Get,Mem
  Option ErrorTrap,Error
 
 Define IID,CreationEvent,{75718CA0-F029-11D1-A1AC-00C04FB6C223}
 Define EventMap,CreationEvent,OnObjectReady,1
 Define EventMap,CreationEvent,OnCompleted,2
 Define Variable,Object,objWMIService
 Define Variable,Object,objEvents
 Define variable,Object,objObject

  Ole Init
  Ole Exceptions,SHOW
  Set objWMIService,@Ole(GetObject,NULL,"winmgmts:{impersonationLevel=impersonate, (security)}!\\.\root\cimv2")
  Set objEvents,@Ole(Create,WbemScripting.SWbemSink)
  %%token1 = @Ole(ConnectEvents,objEvents,CreationEvent)
  Ole Call,objWMIService,"ExecNotificationQueryAsync(^o,^B)",objEvents,"SELECT * FROM __InstanceCreationEvent WITHIN 2 WHERE TargetInstance ISA 'Win32_NTLogEvent'"

:Evloop
  wait event
  goto @event()
                   
:CreationEventOnObjectReady
# In VB would be "Sub  objEventsOnObjectReady(objObject,objAsyncContext)"
# Need to get "objObject" because its properties contain the data
  %%fsep = @fsep()
  option fieldsep,","
  Parse "%%objObject;%%objAsyncContext", @Ole(EventParamsList,CreationEventOnObjectReady)
  option fieldsep,%%fsep
  Set objObject,@Get(%%objObject)
  %%CategoryString = @Ole(GetProperty,"^B",objObject.TargetInstance.CategoryString)
  %%ComputerName = @Ole(GetProperty,"^B",objObject.TargetInstance.ComputerName)
  %%EventCode = @Ole(GetProperty,"^B",objObject.TargetInstance.EventCode)
  %%EventType = @Ole(GetProperty,"^B",objObject.TargetInstance.EventType)
  %%Logfile = @Ole(GetProperty,"^B",objObject.TargetInstance.Logfile)
  %%TimeGenerated = @Ole(GetProperty,"^B",objObject.TargetInstance.TimeGenerated)
  %%Type = @Ole(GetProperty,"^B",objObject.TargetInstance.Type)
  %%User = @Ole(GetProperty,"^B",objObject.TargetInstance.User)
  %%Message = @Ole(GetProperty,"^B",objObject.TargetInstance.Message)
  info CategoryString:@tab()%%CategoryString@cr()ComputerName:@tab()%%ComputerName@cr()EventCode:@tab()%%EventCode@cr()EventType:@tab()%%EventType@crLogfile:@tab()@tab()%%Logfile@cr()TimeGenerated:@tab()%%TimeGenerated@cr()Type:@tab()@tab()%%Type@crUser:@tab()@tab()%%User@cr()Message:@cr()@cr()"************************************************************"@cr()%%Message@cr()"************************************************************"
  Goto evloop

:CreationEventOnCompleted
  info Event call complete.
  goto evloop
   
:CLOSE
:STOP
  If @Get(objEvents)
    Ole Call,objEvents,Cancel
    Ole DisConnectEvents,objEvents,CreationEvent,%%token1
    Ole Free,Object,objEvents
  End
  If @Get(objWMIService)
    Ole Free,Object,objWMIService
  End
  Ole UnInit
 Exit


Hope this helps put you in the right direction.
Back to top
View user's profile Send private message Send e-mail
Max
Newbie


Joined: 24 Jul 2011
Posts: 20
PostPosted: Fri Apr 06, 2012 5:40 pm    Post subject: Reply with quote
Thanks Aslan, but when I run the above code, it comes out nothing(yeah I download the demo GadgetX), maybe its because I couldn't understand how it works. Rolling Eyes


Guess I have to use list tasklist as Garrett suggested.

Here's the code that I start with.

Code:
LIST CREATE, 1
list clear,1

LIST CREATE, 2
list clear,2
list tasklist,1,N
WAIT 5
list tasklist,2,N
If @equal(@text(1),@text(2))
    INFO Lists are same as each other.
    LIST DELETE,1 
    LIST DELETE,2
  Else
    INFO List are not the same.
    LIST DELETE,1 
    LIST DELETE,2

  End


The problem with it is it works but it generate the message whenever there's a process creation or process deletion event.

I only want the process creation event only. Sad
Back to top
View user's profile Send private message
Aslan
Valued Contributor
Valued Contributor


Joined: 31 May 2001
Posts: 589
Location: Memphis, TN USA
PostPosted: Fri Apr 06, 2012 7:20 pm    Post subject: Reply with quote
I forgot to mention that the script needs to be run with administrative rights.
Back to top
View user's profile Send private message Send e-mail
Garrett
Moderator Team


Joined: 04 Oct 2001
Posts: 2149
Location: A House
PostPosted: Sat Apr 07, 2012 1:03 am    Post subject: Reply with quote
If you keep a copy of the list in another list, simply do a comparison of both
lists and when a process missing, do nothing, update your copy of the list
and wait until the comparison shows that a new process has started and
then toss yourself a message.
_________________
'What you do not want done to yourself, do not do to others.' - Confucius (550 b.c. to 479 b.c.)
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    forum.vdsworld.com Forum Index -> General Help All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

Twitter@vdsworld       RSS

Powered by phpBB © 2001, 2005 phpBB Group