Unattended System monitoring with ProcessMonitor and UI automation

ProcessMonitor from Microsoft is hugely popular and widely used to monitor events such as registry or file related updates. 

If Process monitor is used to track an event  (e.g., a registry change) system wide, in an unattended scenario, some customization will be needed since ProcessMonitor  creates a large amount of log files in a short span of time i.e., around 5gb in 30 minutes. 

The plan is to check Process monitor log files every 30 minutes for the event, take a snapshot and clear the logs. Using a task scheduler task and UIA this can be accomplished as discussed below.

Background

It was noticed that  on a particular windows 10 machine, the windows scaling factor changed from 100% to 150% randomly over a period of 1 week. The plan was to track changes made to the registry entry hkcu\control panel\desktop\logpixels.

Implementation

The solution should be generic so that it can be deployed seamlessly on different PCs.

When done manually, following steps are executed.

Steps

1. First time, folders for the pm logs and captured events are created. This is done by importing  the configurations from ProcMonConfiguration.pmc.
2. After that, when a specific user logs in, the unprocessed  logs are scanned for the event and cleared
3. Every 30 mins logs are scanned for the event, logs are saved if found and then logs are cleared

Step 1

 Init.cmd will do the initial setup.

Add a filter  for registry entry as shown below:

Change file backing as shown below.  A dedicated folder in required.

A scheduler task startpm is created that runs on logon of specific user to  run startpm.cmd described below.

A scheduler task savepmlog  is created that runs startpm.cmd for a specific user every 30 minutes to check for the event , take a screenshot and  clear the logs.

Step 2

startpm task is executed on logon of a specific user. This tasks runs savepmlog.cmd.

Step 3

savepmlog  task is executed every 30 mins after logon of a specific user. This tasks runs savepmlog.cmd.

Init.cmd

This script will do initial setup as discussed above.

       
@echo on
rd /s /q c:\temp\procmon
md c:\temp\procmon\capture
md c:\temp\procmon\pmlogs
schtasks /create  /f /sc onlogon /tn startpm /it /ru rvvya /tr "%~dp0\savepmlog.cmd"
schtasks /create  /f /sc minute /mo 30  /tn savepmlog /it /ru rvvya /tr "%~dp0\savepmlog.cmd"
start "" "%~dp0\..\bin\Procmon64.exe" /accepteula /terminate
start "" "%~dp0\..\bin\Procmon64.exe" /quiet /loadconfig "%~dp0\ProcmonConfiguration.pmc"
       
 

savepm.cmd

This script will check logs for the event and saves it along with a screenshot if found and then clears all logs.

       
@echo on
setlocal enabledelayedexpansion
del C:\temp\procmon\capture\snapshot.bmp>nul
del C:\temp\procmon\capture\logfile.csv>nul

tasklist /fi "imagename eq Procmon64.exe" | find /i "Procmon64.exe">nul
if !errorlevel! equ 0 start "" /wait "%~dp0\..\bin\Procmon64.exe" /Terminate
start "" "%~dp0\..\bin\Procmon64.exe" /quiet /openlog C:\temp\procmon\pmlogs\uiatest.PML
echo saving....
start "" /min /wait "%~dp0\..\bin\savelog.exe"
call :rename_logfile
goto :eof

:rename_logfile
set logfile=logfile_%date%_%time%
set logfile=%logfile::=_%
set logfile=%logfile:/=_%
find /c /v ""  C:\temp\procmon\capture\logfile.CSV | find /i ".CSV: 1">nul
if !errorlevel! equ 0 (
del C:\temp\procmon\capture\snapshot.bmp>nul
del C:\temp\procmon\capture\logfile.csv>nul
echo %date% %time% not found >> C:\temp\procmon\capture\results.log
) else (
move C:\temp\procmon\capture\snapshot.bmp "C:\temp\procmon\capture\%logfile%".bmp
move C:\temp\procmon\capture\logfile.csv "C:\temp\procmon\capture\%logfile%".csv
echo %date% %time% found >> C:\temp\procmon\capture\results.log
)
exit /b
      
 

Savelog.exe

This is driven by UIA. This executable is launched by savepmlog.cmd. It takes a snapshot, saves pmlog files and then clears them. 

Deployment

The solution is deployed as shown below:

\bin

ui automation executables and the libraries and processminitor executable.

\scripts

contains task scheduler scripts described below and setup script

Demo

The following movie shows actual operation

1. Regedit is started to add an event

2. savepmlog task is triggered to check and record.

Output 

The  output files are available in C:\temp\procmon\capture folder.

snapshot (logfile_11-06-2022_15_26_36.34.bmp)

saved log file (logfile_11-06-2022_15_26_36.34.csv)

"Time of Day","Process Name","PID","Operation","Path","Result","Detail"

"15:26:06.7849475","regedit.exe","10344","RegQueryValue","HKCU\Control Panel\Desktop\LogPixels","SUCCESS","Type: REG_DWORD, Length: 4, Data: 150"

results.log

11-06-2022 14:32:30.01 not found 

11-06-2022 15:00:22.52 not found 

11-06-2022 15:26:36.36 found 

Source and Binaries can be found here.

User Interface Automation Framework

The Microsoft UI Automation APIs enable navigation of user interfaces programmatically.

Some of the areas of application are UI Automation testing,  manufacturing Quality checks, Accessibility,

The UIAFramework  is a light weight framework that can be used to achieve UI Automation.either by Scripting languages or C#. It has two components ControlDBTool and UIADriver. The UIAFramework is based on .net CLR 3.5 and works with Windows XP and above. The process involves two steps.

1. Identify controls participating in UI automation in an user interface and generate a control database using ControlDBTool.
2. Using the UIADriver component, manipulate the control by invoking a method  or property from the supported control patterns of the control. For e.g., Invoke method of Button control.

ControlDBTool

ControlDBTool is a GUI based tool that aids identification of UI elements that participates in UI automation. The users can basically select UI elements from an application and save them into a file based repository. ControlDBTool also supports record and play feature where code can be generated from user actions.

UIADriver

UIADriver is an easy to use managed class library that provides an interface to simulate user interactions on various UI elements such as Buttons, Grids, combo boxes etc. This is exposed to script based and unmanaged clients via COM.
UIADriver supports both UIA (user interface automation) and MSAA (Microsoft Accessibility Api) technologies. These basically provide the foundation for UI automation and are part of the OS. UIA is the successor of MSAA and can be used for both WPF and Win32/Winform based UI controls.  However, it exhibits anomalies with certain winform based controls. In such cases, MSAA can be used to fill the gap.
The code generator of the ControlDBTool discussed earlier uses the UIADriver library to perform UI operations.

Example

In this example, calucalator.exe is launched and  multiplication calculations are performed as discussed below.

1. Launch calucalator 

2. Launch ControlDBtool and set toolbar only mode

.

3. Click on record button and perform following actions on the calculator using mouse

4. click digits 8 7 8 4 x 1 6 x 1 0 4 0 as shown in the below

5. stop recording the controldb tool 

6. save the recording

7. recorded actions are listed as below. if there is any unmapped event, it needs to be mapped to the action.

8. set  controldb tool to regular mode

9. save the recording

10. click on generate code and save the selection

11. select all the actions

12. select C# code from the dropdown

13. Save the code to calc.cs

14. edit calc.cs file and add highlighted code in main() and save.

	   
public static void Main()
{
	string brs = null;
	System.Diagnostics.Process.Start("calc.exe");
	System.Threading.Thread.Sleep(2000);

	UIAAutomationElement.UIADriver.SetAutomationElement (objsample.button_Clear_clearButton_1294_432);15. open a command window from the saved location

16. compile the code to generate exe using following command

17. execute runcalc.exe. the playback looks as in the video below

Source and Binaries can be found here.