Collecting system wide provenance on Windows

The ProcMon reporter uses input from the Process Monitor application on Microsoft Windows. Process Monitor is a monitoring tool that shows real-time file system, registry, and process/thread activity. It is available for download from Microsoft.

To collect provenance on Windows using the ProcMon reporter, the following steps must be performed:

• Start Process Monitor. The tool will automatically begin capturing system-wide events.
• Perform the tasks for which you want to collect provenance.
• Stop Process Monitor.
• Save Process Monitor's log file to disk. This saves the recorded system-wide activity to a single file. The log must be saved in XML format without the stack traces option.
• In the SPADE controller, start the ProcMon reporter with the path to the saved file as an argument, which is ./ProcMon.XML in the example below:

-> add reporter ProcMon input=./ProcMon.XML
Adding reporter ProcMon... done

The Process Monitor log should contain the following columns which can be selected from the Select Columns... option under the Options menu:

• Process Name
• Image Path
• Command Line
• Company Name
• Description
• Version
• Architecture
• Event Class
• Operation
• Date & Time
• Time of Day
• Category
• Path
• Detail
• Result
• Duration
• User Name
• Process ID
• Thread ID
• Parent PID

The ProcMon reporter will ingest the log file and send provenance information corresponding to the recorded activity to the SPADE kernel.

---

Command line Process Monitor log collection

The description above involves interactive use. To script the log collection, Process Monitor can be run at the command line. Specific steps are described here.