system_monitor

A windows system tool, development in rust. A replacement of procmon, more events and useful filter. Typically can check handle leak for a long time(i.e. a week). because can remove the closed handle.

features

• more events
  • public and unpublished. refer to monitor events
• more useful filter
  • filter one event with some filter condition
    • value: any string and number. i.e. 1234567 or "system_monitor".
    • key-value: key is any column. i.e. process_id or properties.xxx. value is any string or number.
    • express: can use && || ! () i.e process_id = 4 && thread_id = 6
  • filter two events by match some condition. i.e. handle create and close
    • handle: match CreateHandle and CloseHandle and remove the tow events
    • custom(event_display_name, opcode_name_first, opcode_name_second, path_for_match, ...) : can has multi path_for_match. match the opcode_name_first and opcode_name_second, and remove the two events.
• find for events
  • easy query language
    • value: any string and number. i.e. 1234567 or "system_monitor".
    • key-value: key is any column. i.e. process_id or properties.xxx. value is any string or number.
    • express: can use && || ! () i.e process_id = 4 && thread_id = 6
  • mark result of query at scroll bar of TableView
• call stack view
  • record original module and monitor change
  • convert the virtual address to the offset of module
  • translate a module offset to the code location
• easy of use
  • syntax highlight for filter expression
  • tips

supported os version

• windows11 x64
• windows10 x64
• windows10 x32

monitor events