generate log with opened/closed processes

[Rioa]

Hello fellow scripters,

I've recently come up with a rather elegant solution to fix a computer virus, er I mean microsoft windows, and I'd like to develop it a bit further.

PROBLEM: Microsoft enjoys analyzing peoples' computers and data-reporting/mining, consequently tieing up vast memory resources; I've been able to eliminate a few dozens built-in spybots via the cortana privacy settings, and spybot search and destroy, but there are still a few pesky processes which I notice from time to time because it slows down my frames per second substantially while playing multiplayer games (this is extremely unacceptable since this is a gaming computer).

SPECIFICALLY & PARTIAL SOLUTION: So the most notable process I've been struggling with is taskhostw.exe, I've shut down about a half dozen triggers which kicks off this POS, but it either keeps self-repairing or is getting launched from something so utterly ridiculous, it hasn't even crossed my mind (I've run third party software, changed the registry keys, disabled the task scheduler triggers and more and it still persists). I've whipped up a quick script which takes care of the problem REALLY well, and now I'd like to expand on it's functions and tracking abilities.

If anyone else would like to use my script, or build off it, be aware that if the process (or application) in question is one that belongs to microsoft -- you must right click your script and run as administrator:

Code: Select all

#SingleInstance Force
#Persistent

timerloop:

Process, Exist, taskhostw.exe
{
Process, Close, taskhostw.exe
}

sleep 1000
Goto, timerloop

break::ExitApp

So that above code does a great job of killing taskhostw.exe any time I'm in a game without the need to alt-tab -- but it's my first draft and has it's limits, for one, it's brute force and slightly wasteful on resources (I'd much rather have it utilize an event listener for the taskhostw.exe process launching, rather than performing a physical check every 1second, if anyone knows the syntax for that -- do tell ;p )

And secondly besides wanting to clean up the code -- I'd like to expand its functionality to data log all other processes, with a time stamp of when they opened, and when they closed. The purpose here is to see what other sneaky microsoft processes I may have missed -- this is not neuroticism, they literally program their software to launch when you're not around; don't believe me? check out task scheduler triggers, some execute when they see the keyboard hasn't been accessed in X time passed.

TL:DR
1) Need syntax help for taking the above code and making it more efficient; need to replace the 1-second-checker loop with an event listener that watches for taskhostw.exe starting up
2) Need a quick crash course on generating logs in regards to this, specifically: I would like to add another code snippet that again has a process event listener, but instead of taskhostw.exe, it would be effectively *.exe, and anytime *.exe launches or terminates, it will add a time-stamped log statement to "mylog.txt"

[BoBo]

This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.

Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc.

You'll probably be surprised at how many executables are launched automatically!

Source: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

[Rioa]

tried your autoruns utility, ran as administrator, turned off all "hidden" options, selected everything tab, and did a ctrl-f find for taskhost, no results.

Yet another example of how far microsoft will go to strip power from their users.

I find it halerious even this (seemingly) top notch microsoft diagnostic tool still lacks the power of what I accomplished with 2 lines of autohotkey code.

Ever since windows 10 version (1709?) they started taking away our control on things like windows updates and various services that they deemed too important to touch. As a computer expert myself, I can say that there is no legitimacy to their claims; they simply want an excuse to have executive control over your pc, claiming things like they want to keep you up-to-date to improve security or stability -- both ridiculous claims, since new patches can (and have) opened up new security loopholes, and some patches can also mis-configure unconventional hardware setups, potentially corrupting software (I've worked as a computer repair tech for 3 years and seen this a lot first hand).

Anyways all this to say, I'm trying to cure a microsoft problem and you provided me a microsoft tool, I'm not the least bit surprised it didn't have what I needed. It DID contain one of the other obnoxious processes I'm trying to address (sedlauncher.exe), but nothing for taskhost, which brings me back to my fundamental question:

Does anyone know the autohotkey syntax to set up an "event listener" for a process by name (i.e. Event Listener > Taskhostw.exe > Launched) and is it possible to use a wildcard to 'event listen' for all processes (i.e. Event Listener > *.exe > Launched)

Im sure I can teach myself log generation in an afternoon, but this would be a pre-requisite step

P.S. If I'm confusing anyone with my jargon (event listener) here's a simple example:
lbutton::
would be an event listener for left mouse click -- so im looking for the correct syntax for the following:
Process, Exist, taskhostw.exe::

[swagfag]

Does anyone know the autohotkey syntax to set up an "event listener" for a process by name

Code: Select all

wmi := ComObjGet("winmgmts:")
sink := ComObjCreate("WbemScripting.SWbemSink")
ComObjConnect(sink, "SINK_")

wmi.ExecNotificationQueryAsync(sink, "SELECT * FROM Win32_ProcessStartTrace")

SINK_OnObjectReady(objObject, objAsyncContext) {
	MsgBox % objObject.ProcessName
}

[heavyhotuser]

@swagfag: Can you provide an example (with MsgBox or TooTip) for event listener, please. I can't seem to bring it to work. Thanks!

[teadrinker]

Code: Select all

Gui, New, +hwndhGui
Gui, Add, ListView, w900 h600, Event|PID|Name|Time|Command Line
for k, v in ["70", "50", "100", "60"]
   LV_ModifyCol(k, v)
Gui, Show

WMI := ComObjGet("winmgmts:")
ComObjConnect(createSink := ComObjCreate("WbemScripting.SWbemSink"), new EventSink("Created", hGui))
ComObjConnect(deleteSink := ComObjCreate("WbemScripting.SWbemSink"), new EventSink("Terminated", hGui))

Command := "Within 1 Where TargetInstance ISA 'Win32_Process'"
WMI.ExecNotificationQueryAsync(createSink, "select * from __InstanceCreationEvent " . Command)
WMI.ExecNotificationQueryAsync(deleteSink, "select * from __InstanceDeletionEvent " . Command)
Return

GuiClose() {
   ExitApp
}

class EventSink
{
   __New(eventType, hwnd) {
      this.event := eventType
      this.hwnd := hwnd
   }
   
   OnObjectReady(obj) {
      Process := obj.TargetInstance
      Gui, % this.hwnd . ": Default"
      time := this.event = "Created" ? RegExReplace(Process.CreationDate, "\..*") : A_Now
      FormatTime, formatted, time, HH:mm:ss
      LV_Insert(1,, this.event, Process.ProcessID, Process.Name, formatted, Process.CommandLine)
   }
}

[heavyhotuser]

Thank you so much! Still reading MSDN to understand at list a bit of it. Alone I would never bring it to work!
Awesome !

[c7aesa7r]

Code: Select all

Gui, New, +hwndhGui
Gui, Add, ListView, w900 h600, Event|PID|Name|Time|Command Line
for k, v in ["70", "50", "100", "60"]
   LV_ModifyCol(k, v)
Gui, Show

WMI := ComObjGet("winmgmts:")
ComObjConnect(createSink := ComObjCreate("WbemScripting.SWbemSink"), new EventSink("Created", hGui))
ComObjConnect(deleteSink := ComObjCreate("WbemScripting.SWbemSink"), new EventSink("Terminated", hGui))

Command := "Within 1 Where TargetInstance ISA 'Win32_Process'"
WMI.ExecNotificationQueryAsync(createSink, "select * from __InstanceCreationEvent " . Command)
WMI.ExecNotificationQueryAsync(deleteSink, "select * from __InstanceDeletionEvent " . Command)
Return

GuiClose() {
   ExitApp
}

class EventSink
{
   __New(eventType, hwnd) {
      this.event := eventType
      this.hwnd := hwnd
   }
   
   OnObjectReady(obj) {
      Process := obj.TargetInstance
      Gui, % this.hwnd . ": Default"
      time := this.event = "Created" ? RegExReplace(Process.CreationDate, "\..*") : A_Now
      FormatTime, formatted, time, HH:mm:ss
      LV_Insert(1,, this.event, Process.ProcessID, Process.Name, formatted, Process.CommandLine)
   }
}

Code: Select all

Process := obj.TargetInstance

Among: Process.ProcessID, Process.Name, Process.CommandLine
All these properties are also available to read from the process right?
https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-process?redirectedfrom=MSDN

What other events are possible to track other than 'created' and 'terminated', if possible could you share the MSDN link about these?
Also, how I could set the class EventSink 'critical' to avoid the possibility of missing catch a process?

[teadrinker]

Unfortunately, I don't have much experience with WMI. I am not the author of this script.

[jNizM]

I can look into it.

Yes you can get all properties from the Win32_Process Class

Also __InstanceModificationEvent is possible (Receiving a WMI Event)

I am currently working successfully with Eventlog Event (Win32_NTLogEvent)

More successfully working tests are Registry Change Events (RegistryKeyChangeEvent / RegistryTreeChangeEvent / RegistryValueChangeEvent) and Plug and Play device Events (Win32_PnPEntity) also Service Events can be tracked (Win32_Service)