Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Collecting system wide provenance on Windows
The ProcMon reporter uses input from the Process Monitor application on Microsoft Windows. Process Monitor is a monitoring tool that shows real-time file system, registry, and process/thread activity. It is available for download from Microsoft.
To collect provenance on Windows using the ProcMon reporter, the following steps must be performed:
- Start Process Monitor. The tool will automatically begin capturing system-wide events.
- Perform the tasks for which you want to collect provenance.
- Stop Process Monitor.
- Save Process Monitor's log file to disk. This saves the recorded system-wide activity to a single file.
- In the SPADE controller, start the ProcMon reporter with the path to the saved file as an argument, which is
c:\ProcMon.login the example below:
-> add reporter ProcMon c:\ProcMon.log Adding reporter ProcMon... done
The ProcMon reporter will ingest the log file and send provenance information corresponding to the recorded activity to the SPADE kernel.