A windows system tool, development in rust. A replacement of procmon, more events and useful filter. Typically can check handle leak for a long time(i.e. a week). because can remove the closed handle.
The sys_monitor.zip may be considered a threat by the browser when downloading.
- No hook technology was used.
- Obtained all process and module information for convert address to module offset.
- Administrator privileges are required for starting kernel event trace.
- more events
- public and unpublished. refer to
kernel events
- public and unpublished. refer to
- more useful filter
- filter one event with some filter condition
- value: any string and number. i.e.
. - key-value: key is any column. i.e.
. value is any string or number. - express: can use
&& || ! ()
i.eprocess_id = 4 && thread_id = 6
- value: any string and number. i.e.
- filter two events by match some condition. i.e. handle create and close
- handle: match CreateHandle and CloseHandle and remove the tow events
- custom(event_display_name, opcode_name_first, opcode_name_second, path_for_match, ...) : can has multi path_for_match. match the opcode_name_first and opcode_name_second, and remove the two events.
- filter one event with some filter condition
- find for events
- easy query language
- value: any string and number. i.e.
. - key-value: key is any column. i.e.
. value is any string or number. - express: can use
&& || ! ()
i.eprocess_id = 4 && thread_id = 6
- value: any string and number. i.e.
- mark result of query at scroll bar of TableView
- easy query language
- call stack view
- record original module and monitor change
- convert the virtual address to the offset of module
- translate a module offset to the code location
- easy of use
- syntax highlight for filter expression
- tips
- windows11 x64
- windows10 x64
- windows10 x32
- cargo build
- cargo build --release
- select events at event list on the left of windows. shrink by
, expend by+
. - input filter expression in the LineEdit on the top of window.
- filter one: filter every event by event's properties. i.e
process_id = 4 && thread_id = 6
- filter pair: filter two matched events by a simple matched expression. i.e.
- filter one: filter every event by event's properties. i.e
- ckick On/Off switch on the top left of window
- view the events on the center of window
- double click the event row in tableview to view detail information and stack walk.
- optional place pdb file to ./pdb directory. the filename must match to module name. and check the module's TimeDateStamp( the time created by the linker)
- Process
- Start(1)
- End(2)
- DCStart(3)
- DCEnd(4)
- Terminate(11)
- Defunct(39)
- Process Counters
- PerfCounter(32)
- PerfCounterRundown(33)
- Process Wake
- WakeChargeUser(48)
- WakeReleaseUser(64)
- Thread
- Start(1)
- End(2)
- DCStart(3)
- DCEnd(4)
- SetName(72)
- Thread ContextSwitch
- CSwitch(36)
- Thread Dispatcher
- ReadyThread(50)
- 66(66)
- 67(67)
- 68(68)
- Thread Affinity
- ThreadAffinity(53)
- Thread Priority
- SetPriority(48)
- SetBasePriority(49)
- SetPagePriority(51)
- SetIoPriority(52)
- Thread SpinLock
- SpinLock(41)
- Thread SyncObjects
- SyncObjects(43)
- Thread KernelQueue
- Kernel Queue Enqueue(62)
- Kernel Queue Dequeue(63)
- Thread Worker
- Start(64)
- End(65)
- Image
- Load(10)
- UnLoad(2)
- KernelBase(33)
- HypercallPage(34)
- DCStart(3)
- DCEnd(4)
- DiskIo
- Read(10)
- Write(11)
- FlushBuffers(14)
- DiskIo Init
- ReadInit(12)
- WriteInit(13)
- FlushInit(15)
- DiskIo Driver
- DrvMjFnCall(34)
- DrvMjFnRet(35)
- DrvComplRout(37)
- DrvComplReq(52)
- DrvComplReqRet(53)
- FileIo Disk
- Name(0)
- FileCreate(32)
- FileDelete(35)
- FileRundown(36)
- FileIo
- OperationEnd(76)
- FileIo Init
- Create(64)
- DirEnum(72)
- DirNotify(77)
- SetInfo(69)
- Delete(70)
- Rename(71)
- QueryInfo(74)
- FSControl(75)
- Read(67)
- Write(68)
- Cleanup(65)
- Close(66)
- Flush(73)
- 84(84)
- FileIo VaMap
- 37(37)
- 38(38)
- FileIo Flt IoInit
- Pre Operation Init(96)
- Post Operation Init(97)
- FileIo Flt FastIo
- Pre Operation Completion(98)
- Post Operation Completion(99)
- FileIo Flt IoFailure
- Pre Operation Failure(100)
- Post Operation Failure(101)
- PageFaults
- TransitionFault(10)
- DemandZeroFault(11)
- CopyOnWrite(12)
- GuardPageFault(13)
- HardPageFault(14)
- AccessViolation(15)
- PageFaults
- HardFault(32)
- PageFault VirtualAlloc
- VirtualAlloc(98)
- VirtualFree(99)
- MemResetInfo(134)
- PageFault MemInfo
- 112(112)
- 124(124)
- PageFault SessionOrPfSection
- 73(73)
- 79(79)
- 135(135)
- 136(136)
- PageFault MemInfoWs
- 125(125)
- 126(126)
- PageFault Ws
- 130(130)
- ProcessFreeze(131)
- 118(118)
- TcpIp
- TCP Send IPv4(10)
- TCP Receive IPv4(11)
- TCP Connect IPv4(12)
- TCP Disconnect IPv4(13)
- TCP Retransmit IPv4(14)
- TCP Accept IPv4(15)
- TCP Reconnect IPv4(16)
- TCP Fail(17)
- TCP Copy IPv4(18)
- TCP Send IPv6(26)
- TCP Receive IPv6(27)
- TCP Disconnect IPv6(29)
- TCP Retransmit IPv6(30)
- TCP Reconnect IPv6(32)
- TCP Copy IPv6(34)
- TCP Connect IPv6(28)
- TCP Accept IPv6(31)
- UdpIp
- UDP Fail(17)
- UDP Send IPv4(10)
- UDP Receive IPv4(11)
- UDP Send IPv6(26)
- UDP Receive IPv6(27)
- Registry
- CreateKey(10)
- OpenKey(11)
- DeleteKey(12)
- QueryKey(13)
- Close Key(27)
- Flush Key(21)
- Enum Key(17)
- Set Value(14)
- Delete Value(15)
- Query Value(16)
- Enum Value(18)
- Query Multiple Values(19)
- Set Key Information(20)
- KCB Create(22)
- KCB Delete(23)
- KCB Rundown Begin(24)
- KCB Rundown End(25)
- Virtualize(26)
- Query Security(29)
- Set Security(28)
- Registry ChangeNotify
- ChangeNotify(48)
- Debugger
- DbgPrint(32)
- Job
- Create(32)
- Terminate(33)
- Open(34)
- Assign Process(35)
- Remove Process(36)
- Set(37)
- Query(38)
- Alpc
- ALPC-Send-Message(33)
- ALPC-Receive-Message(34)
- ALPC-Wait-For-Reply(35)
- ALPC-Wait-For-New-Message(36)
- ALPC-Unwait(37)
- ALPC-38(38)
- ALPC-39(39)
- ALPC-41(41)
- SplitIo
- VolMgr(32)
- DebugEvents
- PerfInfo Profile
- SampleProfile(46)
- PerfInfo
- ThreadDPC(66)
- DPC(68)
- TimerDPC(69)
- PerfInfo PmcProfile
- PerfInfo Interrupt
- ISR-MSI(50)
- ISR(67)
- PerfInfo DpcQueue
- 100(100)
- 101(101)
- PerfInfo ContMemGen
- 118(118)
- 119(119)
- PerfInfo ShouldYield
- 109(109)
- PerfInfo SystemCall
- SysClEnter(51)
- SysClExit(52)
- PerfInfo Timer
- 80(80)
- 81(81)
- 82(82)
- 83(83)
- 84(84)
- 85(85)
- PerfInfo ClockInterrupt
- 79(79)
- PerfInfo ClockTimer
- 87(87)
- 88(88)
- 89(89)
- PerfInfo
- Ipi(113)
- PerfInfo
- WdfDPC(98)
- PerfInfo
- WdfISR(96)
- FootPrint
- Refset
- Pool
- Pool Alloc(32)
- Pool Session Alloc(33)
- Pool Free(34)
- Pool (Session) Free(35)
- Add Pool Page(36)
- Add Session Pool Page(37)
- Big Pool Page(38)
- Big Session Pool Page(39)
- CompactContextSwitch
- ProcessInSwap
- SpinLockCounts
- InterruptSteer
- AntiStarvation
- PfnList
- WsDeTail
- WsEntry
- Heap
- Heap Create(32)
- Heap Alloc(33)
- Heap ReAlloc(34)
- Heap Destroy(34)
- Heap Free(36)
- Heap Extend(37)
- Heap Snapshot(38)
- Heap Create Snapshot(39)
- Heap Destroy Snapshot(40)
- Heap Extend Snapshot(41)
- Heap Contract(42)
- Heap Lock(43)
- Heap Unlock(44)
- Heap Validate(45)
- Heap Walk(46)
- Ums
- BackTrace
- Vulcan
- EventTrace
- Extension(5)
- RDComplete(8)
- EndExtension(32)
- FullTrace
- Dfss
- PreFetch
- CpuConfig
- LoadBalancer
- IdleSelection
- IoTimer
- RegHive
- PpmExitLatency
- OpticalIo
- OpticalIoInit
- DllInfo
- DllFlushWs
- Handle
- CreateHandle(32)
- CloseHandle(33)
- DuplicateHandle(34)
- TypeDCStart(36)
- TypeDCEnd(37)
- HandleDCStart(38)
- HandleDCEnd(39)
- Object
- CreateObject(48)
- DeleteObject(49)
- ReferenceObject(50)
- DereferenceObject(51)
- WakeDrop
- WakeEvent
- Debugger
- ProcAttach
- Power
- 51(51)
- 53(53)
- Power ProcessorIdle
- 57(57)
- 58(58)
- SoftTrim
- Cc
- 0(0)
- 1(1)
- 2(2)
- 5(5)
- 9(9)
- 10(10)
- 12(12)
- 13(12)
- HvProfile
- CacheFlush
- HiberRundown
- SysConfigSystem
- SysConfigGraphics
- SysConfigStorge
- SysConfigNetwork
- SysConfigServices
- SysConfigPnp
- SysConfigOptical
- SysConfigAll
- ClusterOff
- MemoryControl
- LostEvent
- RTLostEvent(32)
- RTLostBuffer(33)
- RTLostFile(34)
- StackWalk
- Stack(32)