Use a script to monitor the new process and its parent process and their command line

Today, more and more rogue software, which also contains a lot of well-known software vendors are impressively in the column, wanton frame, advertising, tamper home and system settings, these operations are silently completed in the background, the operation of rogue technical means emerge endlessly, in the operations of the process of repeated problems, It may not be possible to capture the rogue behavior that eventually originated through the naked eye or some technical means. To this end, through a certain script programming means to assist can be more than a multiplier. To give a simple example, a user's computer uninstalled a variety of rogue software, not a moment to install, then how to install, the following script will tell you the answer.

There are 2 scripts in this function, the first one is the VBS main program for monitoring, the second is batch processing, which is used to invoke this VBS and display the information captured by VBS to the window.

Here is the VBS script code:

StrComputer ="." SetobjWMIService =GetObject("winmgmts:"&"{impersonationlevel=impersonate}!\\"& StrComputer &"\root\cimv2") SetColmonitoredprocesses =objWMIService. _ ExecNotificationQuery ("SELECT * FROM __InstanceCreationEvent"&"within 1 where TargetInstance Isa ' Win32_Process '") WScript.Echo"process monitoring is turned on and any new process will be captured! " Do  while 1    SetObjlatestprocess =colmonitoredprocesses.nextevent sppid=ObjLatestProcess.TargetInstance.ParentProcessID WScript.Echo Time&"Discovery New Process --"&"Start parent Process ID:"&Sppid WScript.Echo"Parent Process command line:"&Getparentprocessname (sppid) WScript.Echo"To create a new process:"&ObjLatestProcess.TargetInstance.CommandLine WScript.Echo"----------------------------------------------------------------"LoopFunctiongetparentprocessname (PID) on Error Resume NextDimScomputername,wmi_obj,wmi_objprops,objclsitemscomputername="."   SetWmi_obj =GetObject("winmgmts:\\"& Scomputername &"\root\cimv2")   SetWmi_objprops = Wmi_obj.execquery ("Select * from Win32_Process where processid= '"& PID &"'", , -)    for  eachObjclsiteminchwmi_objprops Getparentprocessname=Objclsitem.commandlineNextEnd Function

The following is the bat batch script code:

@echo off>nul2>&1 "%systemroot%\system32\cacls.exe" "%SystemRoot%\System32\Config\SYSTEM"if '%errorlevel%'NEQ'0' (    EchoRequest Administrator Permissions ... goto uacprompt)Else(goto gotadmin): UacpromptEchoSet UAC = createobject^ ("shell.application"^) >"%temp%\getadmin.vbs"    EchoUac. ShellExecute"%~s0","","","runas",1>>"%temp%\getadmin.vbs"    "%temp%\getadmin.vbs"Exit/B:gotadminifExist"%temp%\getadmin.vbs"(Del"%temp%\getadmin.vbs") pushd"%cd%"CD/d"%~dp0"cscript.exe//nologo "%~dp0" Procsm.vbsPause>nul

Put the above 2 scripts in the same directory and run the batch script, at which point the batch calls UAC to run as an administrator, then loads the Execute VBS script, and after running, we can see the following monitoring effects:

Use a script to monitor the new process and its parent process and their command line