Process Monitor, Scans Processes on Windows machine and compares against list. Rating Options

[kprestage]

If anyone is interested, the below Lua script will use WMI to query the processes running on a target host and compare them against a text file that contains the exe process name, a description of the process, and a path that the exe should be running from. Below is an example of a file. The file should be placed on the INM server. Setting up the file can be a tedious task, to help speed things up, create a blank text file and use that as the parameter to the script, then run the script against a machine in the Lua IDE and you can copy and paste the result into the text file once you verify that all the processes are ok to be running.

NOTE: You need to be running at least version 3.3 to run this script. During testing of the beta, execution time was under 500ms when comparing against a list of 196 processes.

CODE

acrobat.exe    Adobe Acrobat Reader     C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
powerpnt.exe    Microsoft PowerPoint    C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
ipodservice.exe    iTunes    C:\Program Files\iPod\bin\iPodService.exe
wmplayer.exe    Windows Media Player     C:\Program Files\Windows Media Player\wmplayer.exe
mfpmp.exe    Media Foundation Protected Pipeline DRM!!     
wmiapsrv.exe    Microsoft WMI Performance Adapter    c:\windows\system32\wbem\wmiapsrv.exe
notepad.exe    Notepad    c:\windows\system32\notepad.exe

And now for the Lua Script.....

CODE

-----------------------------------------------------------------
-- Name: ProcessScan.lua
-- Author: Kevin Prestage
-- Required INM version: 3.3
-- Version: 1.0
-- Date: 2007-09-19
-- Description: This script will load a configuration file of
-- process names and execute a WMI query against the machine and
-- compare the resulting running processes against the processes
-- in the configuration file.  It will also verify that the file
-- is running from the predetermined path specified in the
-- configuraiton file.  The configuration file is a TAB delimited
-- text file on the INM host machine.  
--
-- The format is:
--     ExeName (i.e explorer.exe) [TAB]
--     Description to help identify the processes [TAB]
--     Path the file should run from [NEW LINE]
--
-- iexplorer.exe    Internet Explorer    c:\Program Files\IE7\iexplorer.exe
--
-- Only the first column is required to run the script.  
-- the Description and path are optional.
--
-- Arguments:
-- 1) Path to the configuration text file (relative to the INM host machine, NOT the object being monitored.
----------------------------------------------------------------------------------------------------------


--simple function to split a string into an array (table) based on a seperator.
function MakeTable2(str, sep)
    fields = {};
    string.gsub(str,"([^"..sep.."]*)"..sep, function(c) table.insert(fields, c) end);
      return fields;
end


--Start a timer so we can monitor the performance of this script.
Timer = TLuaTimer();
Timer:Start();


result = ""; --this will store our result text
b = true; --this is the status of the script.
count = 0; --total number of processes running on the machine.
unknown = 0; --total number of unknown processes found.


--set the name of the file containing safe processes.
fn = GetArgument(0);

--open the file in the context of the INM host.
file = TLuaFile(true);
iLength = file:GetFileSize( fn );
iRet = file:Open(fn,false);
RawData = "";
RawData, iLength = file:Read(iLength);
file:Close();

--convert the file text to lower case for easier comparison.
RawData = string.lower(RawData);


--Query WMI for a list of all processes running on the machine.
Query = TLuaWMIQuery();
b = Query:Execute("Select * from Win32_Process");

--if the query failed, set the result.
if (b == false) then
    result = "An error occurred querying WMI.  " .. Query:GetErrorDescription();
end

--Loop through the results and check each process agains the file.
while (Query:NextInstance()) do
    count = count + 1;  --increment the process count.
    

    --get the process name and path    
    bOk,exeName = Query:GetProperty("Description",exeName);
    bOk,exePath = Query:GetProperty("ExecutablePath",exePath);
    exeName = string.lower(exeName);
    if (exePath == nil) then
    exePath = "";
    end
    exePath = string.lower(exePath);
    --check if this is a safe process.
    iPos2 = string.find(RawData,exeName );
    if (iPos2 == nil) then
        result = result .. exeName .. "\tUnknown Process!\t" .. exePath .. "\n";
        b = false;
      unknown = unknown + 1;
    else
      --even if it is safe, we need to see if it is running in the correct location if provided.
      iPos3 = string.find(RawData, "\n",iPos2);
      x = string.sub(RawData,iPos2, iPos3);
      x = MakeTable2(x,"\t");


      okpath = x[3];
        if (okpath == nil) then
        okpath = "";
      end
        okpath = string.gsub(okpath,"\n","");
      okpath = string.gsub(okpath,"\r","");
        if (okpath ~= "") then
        
        iPos2 = string.find(exePath,okpath);
            if (iPos2 == nil) then
            result = result .. exeName .. "\tWRONG PATH=" .. exePath .. "\tOK PATH=" .. okpath .. "\n";
            b = false;
              unknown = unknown + 1;
          end
      end
    end
end


--Store the number of running processes on the machine
StoreStatisticalData(0,count,0,"Processes");

--Stroe the number of unknown processes running
StoreStatisticalData(1,unknown,0,"Unknown");

--Store the monitored safe processes
t = MakeTable2(RawData,"\n");
StoreStatisticalData(2,table.getn(t),0,"Safe");

--Store the execution time of the script.
mil = Timer:Stop();
StoreStatisticalData(3,mil,0,"Milliseconds");

--set the Exit status and message.
result = result .. "\n" .. count .. " processes running.  " .. unknown .. " not on list of " .. table.getn(t) .. " safe processes. Test Completed in " .. mil .. " Milliseconds";

SetExitStatus(result,b);

[RA]

Awesome work!