Collecting system wide provenance on Windows

Ashish Gehani edited this page Jul 27, 2015 · 4 revisions

The ProcMon reporter uses input from the Process Monitor application on Microsoft Windows. Process Monitor is a monitoring tool that shows real-time file system, registry, and process/thread activity. It is available for download from Microsoft.

To collect provenance on Windows using the ProcMon reporter, the following steps must be performed:

  • Start Process Monitor. The tool will automatically begin capturing system-wide events.
  • Perform the tasks for which you want to collect provenance.
  • Stop Process Monitor.
  • Save Process Monitor's log file to disk. This saves the recorded system-wide activity to a single file.
  • In the SPADE controller, start the ProcMon reporter with the path to the saved file as an argument, which is c:\ProcMon.log in the example below:
-> add reporter ProcMon c:\ProcMon.log
Adding reporter ProcMon... done

The ProcMon reporter will ingest the log file and send provenance information corresponding to the recorded activity to the SPADE kernel.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.