ProcessWatcher

Questions and comments specific to a particular plugin should go here.
User avatar
kgschlosser
Site Admin
Posts: 4313
Joined: Fri Jun 05, 2015 5:43 am
Location: Rocky Mountains, Colorado USA

Re: ProcessWatcher

Post by kgschlosser » Wed Feb 01, 2017 4:34 pm

i wonder if this has to be done at the module level instead of at the class level. might have something to do with it. I am going to add the code at the module level and see if that makes a difference.
If you like the work I have been doing then feel free to Image

User avatar
kgschlosser
Site Admin
Posts: 4313
Joined: Fri Jun 05, 2015 5:43 am
Location: Rocky Mountains, Colorado USA

Re: ProcessWatcher

Post by kgschlosser » Wed Feb 01, 2017 5:11 pm

Hey!. it seems I have it running. gotta give it a while to see if it bombs again.. but it would usually do it within the first 10 events or so.. I am going to run this for a while and see if it continues to work. Kinda strange the setup I had to do. but as long as it works.

I do not know if you downloaded the dll or if you did a build for it.. the one i included in the previous attachment I built it from the latest code on their github. had to sort out all kinds of path errors and what have you but I did get it built. that was the part that was a pain.. because they link to a couple of other projects and there is no real instruction on what is needed when you build the thing.
If you like the work I have been doing then feel free to Image

jonib
Plugin Developer
Posts: 1280
Joined: Thu Mar 26, 2009 9:33 pm
Location: Sweden

Re: ProcessWatcher

Post by jonib » Wed Feb 01, 2017 5:47 pm

kgschlosser wrote:Hey!. it seems I have it running. gotta give it a while to see if it bombs again.. but it would usually do it within the first 10 events or so.. I am going to run this for a while and see if it continues to work. Kinda strange the setup I had to do. but as long as it works.
OK
I do not know if you downloaded the dll
I downloaded the binary, I hate compiling as there is always trouble.

jonib
XBMC2 plugin to control XBMC. If you want to flatter me Image

User avatar
kgschlosser
Site Admin
Posts: 4313
Joined: Fri Jun 05, 2015 5:43 am
Location: Rocky Mountains, Colorado USA

Re: ProcessWatcher

Post by kgschlosser » Wed Feb 01, 2017 7:48 pm

Its still running.. i just wanted to give ya an update.. so it looks as tho this might be a viable solution.. i will toss up a zip with the __init__ and all of the files in a little bit. but this is basically just a test run "plugin" so it has a different guid as well as a different class name then the original ProcessWatcher plugin.

I will add a bunch of comments in in laying out what is what and why. because it's a very odd way of keeping it running. and i do not fully understand as to why it has to be done like this.
If you like the work I have been doing then feel free to Image

User avatar
kgschlosser
Site Admin
Posts: 4313
Joined: Fri Jun 05, 2015 5:43 am
Location: Rocky Mountains, Colorado USA

Re: ProcessWatcher

Post by kgschlosser » Thu Feb 02, 2017 2:38 am

I have tried every which way to get this thing to work in a different manner then what it does currently. but I have not had success at all.. It seems as tho for some reason you cannot initialize this thing inside of a class. but because of the way that EG is designed it doesn't load anything past eg.RegisterPlugin unless the plugin is loaded or debugging is turned on. But i have devised a method so that when the plugin gets enabled or disabled it will stop generating events but the whole thing will not unload until either the plugin gets deleted or EG gets closed.

the only thing i do not like is how it hangs for a second when opening the dll and hooking the kernel but a momentary hang when it loads is not a huge deal.. it only takes a second. I would be interested in knowing if it is any improvement. it seems to catch every single process... and I also like the fact that i was able to add to the payload the username that started the process. so it tell me if the system or if someone logged in via RDP but whatever.. that's kind of nice. it ran all day without stopping so I know 100% that the thing has to be started at module level.. I just do not know why.

I am going to test it outside of EG and see if the same problem occurs. and if it does i will post a bug report on their github.
If you like the work I have been doing then feel free to Image

jonib
Plugin Developer
Posts: 1280
Joined: Thu Mar 26, 2009 9:33 pm
Location: Sweden

Re: ProcessWatcher

Post by jonib » Sat Feb 04, 2017 10:20 am

kgschlosser wrote:it ran all day without stopping so I know 100% that the thing has to be started at module level..
Do you mind posting your solution? I kinda lost any motivation trying to solve this problem, if there already is a solution. I need to start focusing on other projects, but I'm single minded and can only focus on one project at a time.

jonib
XBMC2 plugin to control XBMC. If you want to flatter me Image

User avatar
kgschlosser
Site Admin
Posts: 4313
Joined: Fri Jun 05, 2015 5:43 am
Location: Rocky Mountains, Colorado USA

Re: ProcessWatcher

Post by kgschlosser » Sat Feb 04, 2017 3:01 pm

Oh yeah sorry about that. I got sidetracked on something else.

here is the plugin.. I have changed the class name and guid so it can be run along side the original plugin.

This is just the core no actions.
If you like the work I have been doing then feel free to Image

User avatar
kgschlosser
Site Admin
Posts: 4313
Joined: Fri Jun 05, 2015 5:43 am
Location: Rocky Mountains, Colorado USA

Re: ProcessWatcher

Post by kgschlosser » Sat Feb 04, 2017 6:30 pm

i did forget to rename the directory.. so it will overwrite the stock plugin.. sorry about that
If you like the work I have been doing then feel free to Image

jonib
Plugin Developer
Posts: 1280
Joined: Thu Mar 26, 2009 9:33 pm
Location: Sweden

Re: ProcessWatcher

Post by jonib » Sat Feb 04, 2017 11:17 pm

kgschlosser wrote:here is the plugin.. I have changed the class name and guid so it can be run along side the original plugin.
Thanks, I'll check it out tomorrow.
i did forget to rename the directory.. so it will overwrite the stock plugin.. sorry about that
OK

jonib
XBMC2 plugin to control XBMC. If you want to flatter me Image

User avatar
kgschlosser
Site Admin
Posts: 4313
Joined: Fri Jun 05, 2015 5:43 am
Location: Rocky Mountains, Colorado USA

Re: ProcessWatcher

Post by kgschlosser » Sun Feb 05, 2017 12:28 am

@ jonib

I got it working the right way without any hocus pocus.

After playing around for a while. I finally got a traceback that indicated to me what was going on... because plugin creation happens in the action thread and not the main thread. and only the main thread can receive COM messages. there in was the problem. see when the plugin originally gets scanned. this is done by the main thread. hence why it would work if i set the objects at the module level. but when the plugin actually would run i was unable to create the COM object properly.

the only "magic code" is a simple call to wx.CallAfter when the plugin starts to a method in the Process Watcher class and in that method is the creation of the COM object but this also gets rid of that horrid delay that was taking place. wx.CallAfter makes it nice and easy to get something into the main thread.

attached is a better version.. and I fixed the directory as well
If you like the work I have been doing then feel free to Image

User avatar
kgschlosser
Site Admin
Posts: 4313
Joined: Fri Jun 05, 2015 5:43 am
Location: Rocky Mountains, Colorado USA

Re: ProcessWatcher

Post by kgschlosser » Sun Feb 05, 2017 5:53 am

OK well i decided to go and complete the plugin.. so here is a complete version barring any bugs.
If you like the work I have been doing then feel free to Image

jonib
Plugin Developer
Posts: 1280
Joined: Thu Mar 26, 2009 9:33 pm
Location: Sweden

Re: ProcessWatcher

Post by jonib » Sun Feb 05, 2017 11:17 am

kgschlosser wrote:OK well i decided to go and complete the plugin.. so here is a complete version barring any bugs.
So I have done some tests with this version:
  • Using the DeviareCOM dll seems to double the memory usage of EventGhost (from 50+MB to 100+MB) Should be documented so users know if memory usage is important.
  • Are any other DLLs needed other then DeviareCOM.dll? If I remove the other DLLs the plugin seems to work the same. (Tested events only)
  • I don't think deviare64.db is needed also.
  • The register/unregister of the DLL needs to be handled differently, if another program uses the DLL it won't work after EventGhost shuts down as the DLL gets unregisterd. Even if the other program has a local copy of the DLL.
This might be a problem with my computer (I'm using EG 0.4):
But using my test script:

Code: Select all

import os;

raw_input();
for i in xrange(10):
    os.system("cmd /c ver");
I'm not getting events for all process starts/ends, interestingly my out of EventGhost test code has the same problem now, in the beginning of the week it seemed to work perfectly. Might be related to my antivirus(Comodo)
I need to do more testing.

jonib
XBMC2 plugin to control XBMC. If you want to flatter me Image

User avatar
kgschlosser
Site Admin
Posts: 4313
Joined: Fri Jun 05, 2015 5:43 am
Location: Rocky Mountains, Colorado USA

Re: ProcessWatcher

Post by kgschlosser » Sun Feb 05, 2017 4:11 pm

the dll can be registered manually using regssvr32 and then there would be no need to register the dll.. I have not done any tests with it.. so i do not know if it does capture all processes. the only reason why i would think it may not is because of how EG handles triggering of events and locking which would cause a thread to wait until it finishes. but that shouldn't matter because it's set to run synchronously which means that the process will not continue until the call to the process watcher has finished. so that leads me to believe that the dll is missing things. I will test this theory. by making a thread to handle the grabbing of data from a queue and triggering an event with it. so all the incoming notification would have to do is to put the data in a queue.
If you like the work I have been doing then feel free to Image

User avatar
kgschlosser
Site Admin
Posts: 4313
Joined: Fri Jun 05, 2015 5:43 am
Location: Rocky Mountains, Colorado USA

Re: ProcessWatcher

Post by kgschlosser » Mon Feb 06, 2017 1:53 am

ok this is what I have found out..

anything that uses user mode is going to miss things.. which is basically any method used that is not a kernel mode driver. and the issue with a kernel mode driver is the driver signing thing.

I have tested the DeviareCOM dll outside of EG and it still misses.. it has a 50% rate using your test inside of EG and out. using a thread to start the processes or not.. same results.

WMI will have the same issue as well. so the choice would be to have a higher CPU load due to polling speed. or missing processes..
If you like the work I have been doing then feel free to Image

jonib
Plugin Developer
Posts: 1280
Joined: Thu Mar 26, 2009 9:33 pm
Location: Sweden

Re: ProcessWatcher

Post by jonib » Mon Feb 06, 2017 11:14 am

kgschlosser wrote:anything that uses user mode is going to miss things.. which is basically any method used that is not a kernel mode driver. and the issue with a kernel mode driver is the driver signing thing.
That's disappointing, I guess that's why the original was designed that way a simple compromise.
I have tested the DeviareCOM dll outside of EG and it still misses.. it has a 50% rate using your test inside of EG and out. using a thread to start the processes or not.. same results.
When I first discovered the Deviare DLL it seemed so accurate and never missed a process, It's interesting there are very little discussion about the accuracy when I searched for how to monitor processes.

jonib
XBMC2 plugin to control XBMC. If you want to flatter me Image

Post Reply