使用系统内部进程监控(procmon.exe或procmon64.exe),如何跟踪具有给定 PID 的进程及其子进程?
我的第一个(天真的)想法是同时包含“PID 是 1234”和“父 PID 是 1234”谓词——结果发现它们是使用 AND 而不是 OR 连接的,因此是互斥的。
是否有可能以某种方式使用 OR 连接过滤器?
答案1
从进程监视器帮助(procmon.chm):
进程监控
- 或者将与特定属性类型相关的所有过滤器组合在一起,并
- 和将不同属性类型的过滤器组合在一起。
假设我想跟踪PowerShell.exe进程及其子进程。然后powershell从窗口运行对话框 ( Win+ R) 启动,如下所示
cmd.exe /c "title="mycmd" & tasklist /v /fo csv | findstr /i "powershell\.exe" & echo --- & start "" "powershell" & >NUL timeout /T 2 & tasklist /v /fo csv | findstr /i "mycmd powershell\.exe" & pause"
假设mycmd窗口输出如下所示:
"powershell.exe","5384","Console","1","88 752 K","Running","PC\user","0:00:01","Windows PowerShell" --- "powershell.exe","5384","Console","1","88 752 K","Running","PC\user","0:00:01","Windows PowerShell" "cmd.exe","5008","Console","1","4 488 K","Running","PC\user","0:00:00",""mycmd" " "powershell.exe","4344","Console","1","84 468 K","Running","PC\user","0:00:01","N/A" Press any key to continue . . .
然后我可以在进程监控作为
Parent PID is 4344 # childs of newly created powershell.exe instance
Parent PID is 5008 # childs of ephemeral cmd.exe i.e our powershell.exe
Process Name is not conhost.exe # service utility for any console application
换句话说:
(Parent PID is 4344 或者 5008) 和(Process Name is not conhost.exe)
Win+命令R含义:
cmd.exe /c "title="mycmd":启动辅助(短暂)命令提示符实例,设置其标题,然后执行以下任务:tasklist /v /fo csv | findstr /i "powershell\.exe"列出当前(现在)的 PowerShell 实例echo ---打印行分隔符start "" "powershell"启动新的 PowerShell 实例>NUL timeout /T 2等待一小会儿tasklist /v /fo csv | findstr /i "mycmd powershell\.exe"列出 PowerShell 的当前实例和我们的辅助cmd.exepause"等待用户的响应