Joel_YJT

Processes probe to monitor any executable running from a directory

Discussion created by Joel_YJT on Feb 26, 2011

I'm using a regular expression to attempt to monitor all processes running from a certain directory (or any of it's subdirectories).  So, for example, if I wanted to monitor everything running from the C:\Windows\System32 directory (or it's subdirectories), I would put:

/(?i)c:\\windows\\system32.*\.exe.*/

in the profile definition.  This seemed to work for some, but not all of the processes running from that directory, and I think I figured out why: the probe is looking at the field "Command Line" for this information, and sometimes the full path is not in that field.  So the only time it would find all the processes running from this directory is if the full path was in the command line.

 

My question is, is there any way to have it look at that full path instead of the command line to get this information?  I see in the raw_configure of the processes probe that there is a get_command_line option, which doesn't seem to have any affect on how the regular expression works.  Is there a get_full_path option that I can use (I tried get_full_path, that didn't have any affect).

 

Or, is there some other way to get this information besides using the processes probe?

 

Thanks,

Joel

Outcomes