
exe, Pid = 932, Operation = RegQueryValue, Path = "HKCU\Software\Microsoft\Windows\DWM\ColorPrevalence", Time = 7 / 12 / 2020 1 : 18 : 10.7752429 AM > print ( first_event. Procmon-parser exports a ProcmonLogsReader class for reading logs directly from a PML file: > from procmon_parser import ProcmonLogsReader > f = open ( "LogFile.PML", "rb" ) > pml_reader = ProcmonLogsReader ( f ) > len ( pml_reader ) # number of logs 53214 > first_event = next ( pml_reader ) # reading the next event in the log > print ( first_event ) Process Name = dwm. dump_configuration ( config, f ) File Formatįor the raw binary format of PMC files you can refer to the docs, or take a look at the source code in configuration_format.py. config = load_configuration ( f ) > config 0 > config Īdding some new rules > new_rules = > config = new_rules + config ĭropping filtered events > config = 1ĭumping the new configuration to a file > with open ( "ProcmonConfiguration1337.pmc", "wb" ) as f. Loading configuration of a pre-exported Procmon configuration: > from procmon_parser import load_configuration, dump_configuration, Rule > with open ( "ProcmonConfiguration.pmc", "rb" ) as f. PMC (Process Monitor Configuration) Parser Usage Instead of having to convert the file to CSV/XML formats prior to loading.



Procmon uses internal file formats for configuration ( PMC) and logs ( PML). Procmon ( ) is a very powerful monitoring tool for Windows,Ĭapable of capturing file system, registry, process/thread and network activity.
