Monitoring a process in Windows - windows

How can I monitor a Windows process and start it up if it is not running? I'd like to have something that starts up as a Windows service and can handle multiple processes.
EDIT:
Hopefully there's a ready to use library/component I can use and just tweak or configure instead of having to implement it from scratch. I know in the *nix world of two popular packages: god and monit.

You can create a Windows Service that just watches the current process list.
EnumProcesses provides the means of seeing processes running currently. There are many APIs available to start a new process, including:
system()
_exec()
WinExec()
ShellExecute()/ShellExecuteEx()
CreateProcess()
CreateProcessAsUser()
CreateProcessWithLogonW()
If you're using other languages/frameworks, they often provide their own wrappers around the above.

Related

How to prevent process from being killed on Windows

I have some processes running on Windows 10 and I don't want them exit or close by anything inside or outside. I want to protect them. Anyone can tell me what I need to do or introduce me some tools to do this. Thank you so much
If you implement your "important" process as a service then a normal user will not be able to stop or kill it.
Preventing someone with administrator privileges from killing your process is very hard and I would recommend that you don't try to stop them.
Administrators can stop services, debug (and therefore kill) processes they did not start, run code as the system user and load kernel drives. There are only two ways to (try to) stop them:
If you are a real Antivirus/Antimalware vendor then you can create ELAM drivers and protected services. (Protected services can be debugged by a kernel debugger)
Create a kernel driver that prevents certain access rights when processes call OpenProcess and/or use dirty tricks to hide your process from the list of processes so it does not show up in task manager and other tools. Most people would consider this a pretty evil thing to do! You will have to fight with PatchGuard and Antivirus software if you try to do this.

Is there a WinAPI way to detect remote applications like LogMeIn?

Years ago, there were functions in Win32 whereby the app could check to see if a user was running the app via Terminal Services/Remote Desktop. I thnk it was something like:
GetSystemMetrics(1000H)
Is there a system call one can make to check to see if a Win32 or Win64 app is being run remotely via a program like GotoMyPC or LogMeIn?
No, there is not. Those are third party apps doing their own video/input capturing and network streaming. They are plain ordinary apps as far as Windows is concerned. Terminal Services is built into Windows, which is why there are APIs to query TS status.
The only way I can (currently) think of, other than using the aforementioned API call, is also seeing if any particular processes you can identify are running (e.g. GotoMyPC or LogMeIn... they will have some process running). Without doing too much research, they may be running without actually having someone using them. If, however, they launch something to do the streaming, you could check for that.
Just to make sure that this isn't an XY problem, what is it that you're trying to do - and perhaps there is another way?

Hook all new processes and command line arguments in Windows

I wish to know what tools my IDE runs and what command line arguments it uses.
Is there such tool that will provide such information?
I can make an app that will save all processes every second or even faster but I'm still not sure that it will hook everything. There must be some tool already that will do that work much better. Like hooking OS calls for WinExec or CreateProcess(Ex).
Sysinternals Process Monitor can log process events, among other things. It works by monitoring Native API calls, so it'll work regardless of which library function programs use.

Windows service porting to linux

I am porting an application which runs as a background service in windows at startup, we are porting the application to linux(SUSE Enterprise server), I'am completely new to linux. Can somebody help me on how to proceed with this. Like
Should I build the linux executable
After builiding the binary, what changes should I make to linux startup files to run this executable
How my service can register call back function to modify or change or send commands to my service while it is running
Yes, you should build a Linux binary. You may want to rephrase your question since I doubt this is the answer you want :-)
You should generally create what is known as an "init" file, which lives in /etc/init.d. Novell has a guide online which you can use to author the file. Note that while the init file is common, the exact method of letting the operating system use it varies depending on the distribution.
This is going to be a marked change for you. If you are doing simple actions such as re-loading a configuration file, you can use the signals functionality, especially the SIGHUP/HUP signal which is generally used for this purpose. If you require extended communication with your daemon, you can use a UNIX domain socket (think of it as a named pipe) or a network socket.
Another task you are going to need to accomplish is to daemonize your application. Generally this is done by first fork()ing your process, then redirecting the stdin/stdout pipes in the child. There are more details which can be answered by reading this document
See how-to-migrate-a-net-windows-service-application-to-linux-using-mono.
Under Linux, deamons are simple background processes. No special control methods (e.g start(), stop()) are used as in Windows. Build your service as a simple (console) application, and run it in the background. You can use a tool like daemonize to run a program as a Unix daemon.

Application to watch what an executable does?

I need to find out exactly what files/directories a Lua program uses so I can try to only pack what it needs into a ZIP file, and come up with a simple way to deploy this script.
I used SysInternals' Process Monitor, but I'm surprised by the small amount of information it returned while it watched the program (For Lua users out there, it's wsapi.exe, which is the launcher for the light-weight Xavante web server).
Does someone know of a good Windows application that can completely monitor what a program does, eg. something like a live version of the venerable PCMag's InCtrl5.
Thank you.
Process monitor will catch everything. If it's not catching the action then it must be happening in a different process. Try filtering based on the files you expect to be used rather than the process you expect it to happen in.

Resources