(Thanks, Raymond, for defining these filters and also for the idea of using them in this manner.) Raymond allowed me to publish his filters, in the hopes that others can customize them and learn about this aspect of the tool. Raymond Hodge, whom I met in my reverse-engineering malware course, created several filters for eliminating additional Windows XP noise and for looking for some events associated with malicious software. Sample Filters for Malware Analysis and Forensics The window will also let you load PMF files. The tool will remember your filters across sessions however, it won’t activate it until you load it using the Filter > Load Filter… To see the filters you defined, select Filter > Organize Filters… This window will allow you to export custom filters to files with the PMF extension, if you want to save the filter for use outside of the local system. This allows the analyst to use custom filters for either hiding “boring” entries or checking the log file for the presence of “interesting” events.Īfter creating a custom filter with Ctrl+L, you can save it using the Filter > Save Filter… menu option.
The good news is that the tool allows the analyst to not only define custom filters-it also includes the ability to save filters as independent entities. As you can see, the tool comes with several pre-defined filter to eliminate a small set of common Windows events:Įven with the default filters, there is usually too much noise in Process Monitor’s log file. You can define the filters by pressing Ctrl+L in Process Monitor or through the Filter > Filter. The thoroughness of the tool is also weakness, as the amount of data captured by Process Monitor can easily overwhelm the analyst.įilters for Sifting Through Process Monitor Dataįinding meaningful events in Process Monitor’s voluminous log file is simpler by using the tool’s filtering capabilities, which allow the analyst to conditions for determining whether records should be shown or hidden. It’s an invaluable tool for troubleshooting Windows problems as well as for malware forensics and analysis tasks.
Process Monitor is a free tool from Microsoft that displays file system, registry, process, and other activities on the system.
0 kommentar(er)
