Application Montor

Started by bettman, April 21, 2021, 05:17:47 AM

Previous topic - Next topic

bettman

I was hoping someone could point me in the right direction.

We have a need to monitor licensed application usage (adobe, visio, project etc). In a nutshell, I am looking to write a script that stays resident and looks for any of the apps. If one is launched, it will write an entry in the registry. I can then inventory that data to figure out who is actually using the software and recoup a license if its not.

My question is, does anyone have an idea of how I can monitor for the launch of multiple exe's (visio.exe, project.exe etc)? I suppose I could load that list via an array and use an if appexist loop to do it but I don't think thats the best approach.

Any help would be appreciate.

td

You could consider researching either the WMI nstancecreationevent class

https://docs.microsoft.com/en-us/windows/win32/wmisdk/--instancecreationevent?redirectedfrom=MSDN

or the Win32_ProcessStartTrace class

https://docs.microsoft.com/en-us/previous-versions/windows/desktop/krnlprov/win32-processstarttrace?redirectedfrom=MSDN

I haven't ever tried to use either so no idea how well either class works.

"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

ChuckC

If there is the possibility that any of these applications may be launched, used and exited from while your script is not running, and you still need to detect that they were run, then one possible solution is to make use of the Windows Advanced Security Auditing feature.  Specifically, enabling successful audits for the "Detailed Tracking" category's "Audit Process Creation" subcategory will result in events being sent to the Security Eventlog for Event ID 4688.

Refer to the following for details of what's in the detailed data for the event record:

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688

Alternatively, one could enable global file system auditing and then modify the SACL [System ACL] to enable success [and possibly failed] access auditing for the executable file associated with each application.

Either of the above mentioned methods involves already having system-level administrative access to change audit policy and to optionally modify the SACL of files in the file system.  The same applies to reading the Security Eventlog.