Process Monitoring
Kernel CallbackReal-time process and thread creation/exit monitoring via kernel callbacks.
Event Types
| Event | Description |
|---|---|
| ProcessCreate | New process started |
| ProcessExit | Process terminated |
| ThreadCreate | New thread created |
| ThreadExit | Thread terminated |
Captured Information
Process Events
- • Process ID (PID)
- • Parent Process ID (PPID)
- • Process name
- • Full command line
- • Image path
- • Creating process ID
- • Exit code (for exit events)
Thread Events
- • Thread ID (TID)
- • Process ID (PID)
- • Process name
- • Start address
- • Exit code (for exit events)
Kernel Callbacks
- •
PsSetCreateProcessNotifyRoutineEx— Process creation/exit - •
PsSetCreateThreadNotifyRoutine— Thread creation/exit
UI Features
- • Process tab — View all process/thread events
- • Filter by PID — Focus on specific process
- • Filter by name — Search by process name
- • Command line view — See full command line arguments
- • Process tree — View parent-child relationships
IPS Rule Examples
Process: powershell.exe | Path: *\Temp\* | Action: Alert
Process: cmd.exe | CommandLine: *whoami* | Action: Log
Process: wscript.exe | Action: Block