win32 - catch events(wmi?)
Giampaolo Rodolà
g.rodola at gmail.com
Mon May 3 18:53:59 EDT 2010
Just out of curiosity, is WMI able to list the TCP and UDP connections
opened by a process or by the OS?
We'll have to do this for psutil (http://code.google.com/p/psutil) and
we guess it's not gonna be easy.
--- Giampaolo
http://code.google.com/p/psutil
http://code.google.com/p/pyftpdlib
2010/5/3 Tim Golden <mail at timgolden.me.uk>:
> On 03/05/2010 12:02 PM, Richard Lamboj wrote:
>>
>> i want catch the following events:
>> - registry has chanced
>> - file has chanced
>> - outgoing network connection
>> - programm start
>>
>> and i want to be able to allow, or deny this "requests".
>
> Wow. That's quite a list. To do what you want in general
> terms, you're into driver-level code which you're really
> not going to be able to do with Python. Windows does
> provide certain hooks and events but they're relatively
> limited. And the final requirement of being able to allow
> or deny requests is basically what the OS does via security,
> so to do it yourself would be quite a large task, methinks.
>
> In principle, you can use WMI events to track some of
> the things you've listed. The only one I'd really recommend
> is "program[m] start" for which you can see an related example
> here:
>
> http://timgolden.me.uk/python/wmi/cookbook.html#run-notepad-wait-until-it-s-closed-and-then-show-its-text
>
> Even there, WMI is polling on your behalf and if programs are
> spawning fast enough you'll miss one or more events.
>
> File monitoring *can* be done with the same sort of technique
> from within WMI, but don't: it will bring your disk to its
> knees. Instead, use the file monitoring APIs, such as:
>
> http://timgolden.me.uk/python/win32_how_do_i/watch_directory_for_changes.html#use_readdirectorychanges
>
> I'm not aware of any technique for monitoring registry use,
> altho' a scan of sysinternals (or its ms-owned replacement)
> might yield something. And I'm not sure exactly what you
> mean by "outgoing network connection": that's really what the
> Windows firewall is there for. The firewall does have a WMI
> interface, although at this moment I can't remember where it
> is, which would enable you to set some things up, but I don't
> believe it provides an event/callback mechanism. Might be worth
> Googling to see if I'm wrong.
>
> And in all these cases, I'm really only talking about monitoring
> usage: you can terminate a process once it's open; you can delete
> a file once it's created; you can (possibly) nobble a socket
> connection once it's been made, but anything else and you're
> doing the Operating System's job for it.
>
> TJG
> --
> http://mail.python.org/mailman/listinfo/python-list
>
More information about the Python-list
mailing list