Log files, taken from 64 bit and 32 bit machine. To test that the parsing is done correctly, There are two fairly large Procmon PML files and their respective CSV format If there is an unsupported operation which you think its details are interesting, please let me know :) Tests These are a lot of operation types so I didn't manage to get to all of them yet :( Category column and Detail column, which contains different information about each operation type, is supported only for some of the operations:.The PML format is very complex so there are some features (unchecked in the list) that are not supported yet:
#Process monitor boot logging code
stacktrace # get a list of the stack frames addresses from the eventįor the raw binary format of PML files you can refer to the docs, or take a look at the source code in stream_logs_format.py.Ĭurrently the parser is only tested with PML files saved by Procmon.exe of versions v3.4.0 or higher. process) # Accessing the process of the event "C:\Windows\system32\dwm.exe", 932 > for module in first_event. exe, Pid = 932, Operation = RegQueryValue, Path = "HKCU\Software\Microsoft\Windows\DWM\ColorPrevalence", Time = 7 / 12 / 2020 1: 18: 10.7752429 AM > print( first_event. > len( pml_reader) # number of logs 53214 > first_event = next( pml_reader) # reading the next event in the log > print( first_event) > from procmon_parser import ProcmonLogsReader > f = open( "LogFile.PML", "rb") > from procmon_parser import load_configuration, dump_configuration, Rule > with open( "ProcmonConfiguration.pmc", "rb") as f: Loading configuration of a pre-exported Procmon configuration: PMC (Process Monitor Configuration) Parser Usage
Instead of having to convert the file to CSV/XML formats prior to loading.
Reduce the size of the log file over time as Procmon captures millions of events.
0 kommentar(er)
