{"id":21605314,"url":"https://github.com/eronnen/procmon-parser","last_synced_at":"2025-07-17T05:31:23.727Z","repository":{"id":51133505,"uuid":"277642108","full_name":"eronnen/procmon-parser","owner":"eronnen","description":"Parser to process monitor file formats","archived":false,"fork":false,"pushed_at":"2023-04-06T10:24:47.000Z","size":15494,"stargazers_count":145,"open_issues_count":3,"forks_count":24,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-06-13T03:18:03.502Z","etag":null,"topics":["monitoring","monitoring-tool","process-monitor","procmon","python","windows"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eronnen.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-07-06T20:28:49.000Z","updated_at":"2025-06-10T07:19:21.000Z","dependencies_parsed_at":"2023-12-21T17:15:41.264Z","dependency_job_id":"e9671167-2b8e-4727-866f-984f13ea22d7","html_url":"https://github.com/eronnen/procmon-parser","commit_stats":{"total_commits":53,"total_committers":4,"mean_commits":13.25,"dds":0.07547169811320753,"last_synced_commit":"2c739f3a96f3a3de63949fd05e1915d8286a290b"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/eronnen/procmon-parser","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eronnen%2Fprocmon-parser","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eronnen%2Fprocmon-parser/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eronnen%2Fprocmon-parser/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eronnen%2Fprocmon-parser/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eronnen","download_url":"https://codeload.github.com/eronnen/procmon-parser/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eronnen%2Fprocmon-parser/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265568935,"owners_count":23789629,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["monitoring","monitoring-tool","process-monitor","procmon","python","windows"],"created_at":"2024-11-24T20:01:58.312Z","updated_at":"2025-07-17T05:31:23.718Z","avatar_url":"https://github.com/eronnen.png","language":"Python","readme":"# Parsing Procmon files with Python\n\n[![Build Status](https://github.com/eronnen/procmon-parser/actions/workflows/python-package.yml/badge.svg)](https://github.com/eronnen/procmon-parser/actions)\n[![Coverage Status](https://coveralls.io/repos/github/eronnen/procmon-parser/badge.svg?branch=master\u0026service=github)](https://coveralls.io/github/eronnen/procmon-parser?branch=master\u0026service=github)\n[![PyPI version](https://badge.fury.io/py/procmon-parser.svg)](https://badge.fury.io/py/procmon-parser)\n![PyPI - Python Version](https://img.shields.io/pypi/pyversions/procmon-parser)\n\nProcmon (https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) is a very powerful monitoring tool for Windows,\ncapable of capturing file system, registry, process/thread and network activity. \n\nProcmon uses internal file formats for configuration (**PMC**) and logs (**PML**). \nPrior to ``procmon-parser``, **PMC** files could only be parsed and generated by the Procmon GUI, and **PML** files \ncould be read only using the Procmon GUI, or by converting them to CSV or XML using Procmon command line.\n\nThe goals of `procmon-parser` are:\n* Parsing \u0026 Building **PMC** files - making it possible to dynamically add/remove filter rules, which can significantly\nreduce the size of the log file over time as Procmon captures millions of events.\n* Parsing **PML** files - making it possible to directly load the raw **PML** file into convenient python objects\ninstead of having to convert the file to CSV/XML formats prior to loading.\n\n\n## PMC (Process Monitor Configuration) Parser\n\n### Usage\n\nLoading configuration of a pre-exported Procmon configuration:\n```python\n\u003e\u003e\u003e from procmon_parser import load_configuration, dump_configuration, Rule\n\u003e\u003e\u003e with open(\"ProcmonConfiguration.pmc\", \"rb\") as f:\n...     config = load_configuration(f)\n\u003e\u003e\u003e config[\"DestructiveFilter\"]\n0\n\u003e\u003e\u003e config[\"FilterRules\"]\n[Rule(Column.PROCESS_NAME, RuleRelation.IS, \"System\", RuleAction.EXCLUDE), Rule(Column.PROCESS_NAME, RuleRelation.IS, \"Procmon64.exe\", RuleAction.EXCLUDE), Rule(Column.PROCESS_NAME, RuleRelation.IS, \"Procmon.exe\", RuleAction.EXCLUDE), Rule(Column.PROCESS_NAME, RuleRelation.IS, \"Procexp64.exe\", RuleAction.EXCLUDE), Rule(Column.PROCESS_NAME, RuleRelation.IS, \"Procexp.exe\", RuleAction.EXCLUDE), Rule(Column.PROCESS_NAME, RuleRelation.IS, \"Autoruns.exe\", RuleAction.EXCLUDE), Rule(Column.OPERATION, RuleRelation.BEGINS_WITH, \"IRP_MJ_\", RuleAction.EXCLUDE), Rule(Column.OPERATION, RuleRelation.BEGINS_WITH, \"FASTIO_\", RuleAction.EXCLUDE), Rule(Column.RESULT, RuleRelation.BEGINS_WITH, \"FAST IO\", RuleAction.EXCLUDE), Rule(Column.PATH, RuleRelation.ENDS_WITH, \"pagefile.sys\", RuleAction.EXCLUDE), Rule(Column.PATH, RuleRelation.ENDS_WITH, \"$Volume\", RuleAction.EXCLUDE), Rule(Column.PATH, RuleRelation.ENDS_WITH, \"$UpCase\", RuleAction.EXCLUDE), Rule(Column.PATH, RuleRelation.ENDS_WITH, \"$Secure\", RuleAction.EXCLUDE), Rule(Column.PATH, RuleRelation.ENDS_WITH, \"$Root\", RuleAction.EXCLUDE), Rule(Column.PATH, RuleRelation.ENDS_WITH, \"$MftMirr\", RuleAction.EXCLUDE), Rule(Column.PATH, RuleRelation.ENDS_WITH, \"$Mft\", RuleAction.EXCLUDE), Rule(Column.PATH, RuleRelation.ENDS_WITH, \"$LogFile\", RuleAction.EXCLUDE), Rule(Column.PATH, RuleRelation.CONTAINS, \"$Extend\", RuleAction.EXCLUDE), Rule(Column.PATH, RuleRelation.ENDS_WITH, \"$Boot\", RuleAction.EXCLUDE), Rule(Column.PATH, RuleRelation.ENDS_WITH, \"$Bitmap\", RuleAction.EXCLUDE), Rule(Column.PATH, RuleRelation.ENDS_WITH, \"$BadClus\", RuleAction.EXCLUDE), Rule(Column.PATH, RuleRelation.ENDS_WITH, \"$AttrDef\", RuleAction.EXCLUDE), Rule(Column.EVENT_CLASS, RuleRelation.IS, \"Profiling\", RuleAction.EXCLUDE)]\n```\n\nAdding some new rules\n```python\n\u003e\u003e\u003e new_rules = [Rule('PID', 'is', '1336', 'include'), Rule('Process_Name', 'contains', 'python')]\n\u003e\u003e\u003e config[\"FilterRules\"] = new_rules + config[\"FilterRules\"]\n```\n\nDropping filtered events\n```python\n\u003e\u003e\u003e config[\"DestructiveFilter\"] = 1\n```\n\nDumping the new configuration to a file\n```python\n\u003e\u003e\u003e with open(\"ProcmonConfiguration1337.pmc\", \"wb\") as f:\n...     dump_configuration(config, f)\n```\n\n### File Format\n\nFor the raw binary format of PMC files you can refer to the [docs](docs/PMC%20Format.md), or take a look at the source code in [configuration_format.py](procmon_parser/configuration_format.py).\n\n## PML (Process Monitor Log) Parser\n\n### Usage\n\n`procmon-parser` exports a `ProcmonLogsReader` class for reading logs directly from a PML file:\n```python\n\u003e\u003e\u003e from procmon_parser import ProcmonLogsReader\n\u003e\u003e\u003e f = open(\"LogFile.PML\", \"rb\")\n\u003e\u003e\u003e pml_reader = ProcmonLogsReader(f)\n\u003e\u003e\u003e len(pml_reader)  # number of logs\n53214\n\n\u003e\u003e\u003e first_event = next(pml_reader)  # reading the next event in the log\n\u003e\u003e\u003e print(first_event)\nProcess Name=dwm.exe, Pid=932, Operation=RegQueryValue, Path=\"HKCU\\Software\\Microsoft\\Windows\\DWM\\ColorPrevalence\", Time=7/12/2020 1:18:10.7752429 AM\n\n\u003e\u003e\u003e print(first_event.process)  #  Accessing the process of the event\n\"C:\\Windows\\system32\\dwm.exe\", 932\n\u003e\u003e\u003e for module in first_event.process.modules[:3]:\n...     print(module)  # printing information about some modules\n\"C:\\Windows\\system32\\dwm.exe\", address=0x7ff6fa980000, size=0x18000\n\"C:\\Windows\\system32\\d3d10warp.dll\", address=0x7fff96700000, size=0x76c000\n\"C:\\Windows\\system32\\wuceffects.dll\", address=0x7fff9a920000, size=0x3f000\n\n\u003e\u003e\u003e first_event.stacktrace  # get a list of the stack frames addresses from the event\n[18446735291098361031, 18446735291098336505, 18446735291095097155, 140736399934388, 140736346856333, 140736346854333, 140698742953668, 140736303659045, 140736303655429, 140736303639145, 140736303628747, 140736303625739, 140736303693867, 140736303347333, 140736303383760, 140736303385017, 140736398440420, 140736399723393]\n\u003e\u003e\u003e\n```\n\n### File Format\n\nFor the raw binary format of PML files you can refer to the [docs](docs/PML%20Format.md), or take a look at the source code in [stream_logs_format.py](procmon_parser/stream_logs_format.py).\n\nCurrently the parser is only tested with PML files saved by *Procmon.exe* of versions v3.4.0 or higher.\n\n### TODO\n\nThe PML format is very complex so there are some features (unchecked in the list) that are not supported yet:\n- [ ] Getting the IRP name of the operation.\n- [ ] Category column and Detail column, which contains different information about each operation type, is supported only for some of the operations:\n    - [x] Network operations \n        - [x] UDP/TCP Unknown\n        - [x] UDP/TCP Other\n        - [x] UDP/TCP Send\n        - [x] UDP/TCP Receive\n        - [x] UDP/TCP Accept\n        - [x] UDP/TCP Connect\n        - [x] UDP/TCP Disconnect\n        - [x] UDP/TCP Reconnect\n        - [x] UDP/TCP Retransmit\n        - [x] UDP/TCP TCPCopy\n    - [ ] Process operations\n        - [x] Process Defined\n        - [x] Process Create\n        - [x] Process Exit\n        - [x] Thread Create\n        - [x] Thread Exit\n        - [x] Load Image\n        - [x] Thread Profile\n        - [x] Process Start\n        - [x] Process Statistics\n        - [ ] System Statistics\n    - [x] Registry operations\n        - [x] RegOpenKey\n        - [x] RegCreateKey\n        - [x] RegCloseKey\n        - [x] RegQueryKey\n        - [x] RegSetValue\n        - [x] RegQueryValue\n        - [x] RegEnumValue\n        - [x] RegEnumKey\n        - [x] RegSetInfoKey\n        - [x] RegDeleteKey\n        - [x] RegDeleteValue\n        - [x] RegFlushKey\n        - [x] RegLoadKey\n        - [x] RegUnloadKey\n        - [x] RegRenameKey\n        - [x] RegQueryMultipleValueKey\n        - [x] RegSetKeySecurity\n        - [x] RegQueryKeySecurity\n    - [ ] Filesystem Operations\n        - [ ] VolumeDismount\n        - [ ] VolumeMount\n        - [x] CreateFileMapping\n        - [x] CreateFile\n        - [ ] CreatePipe\n        - [x] ReadFile\n        - [x] WriteFile\n        - [ ] QueryInformationFile\n        - [ ] SetInformationFile\n        - [ ] QueryEAFile\n        - [ ] SetEAFile\n        - [ ] FlushBuffersFile\n        - [ ] QueryVolumeInformation\n        - [ ] SetVolumeInformation\n        - [x] DirectoryControl\n        - [x] FileSystemControl\n        - [x] DeviceIoControl\n        - [x] InternalDeviceIoControl\n        - [ ] Shutdown\n        - [ ] LockUnlockFile\n        - [x] CloseFile\n        - [ ] CreateMailSlot\n        - [ ] QuerySecurityFile\n        - [ ] SetSecurityFile\n        - [ ] Power\n        - [ ] SystemControl\n        - [ ] DeviceChange\n        - [ ] QueryFileQuota\n        - [ ] SetFileQuota\n        - [ ] PlugAndPlay\n    - [ ] Profiling Operations\n        - [ ] Thread Profiling\n        - [ ] Process Profiling\n        - [ ] Debug Output Profiling\n\nThese are a lot of operation types so I didn't manage to get to all of them yet :(\u003cbr/\u003e\nIf there is an unsupported operation which you think its details are interesting, please let me know :) \n\n### Tests\n\nTo test that the parsing is done correctly, There are two fairly large Procmon PML files and their respective CSV format\nlog files, taken from 64 bit and 32 bit machine. The test checks that each event in the PML parsed by ``procmon-parser``\nequals to the respective event in the CSV. \n\n## Contributing\n\n`procmon-parser` is developed on GitHub at [eronnen/procmon-parser](https://github.com/eronnen/procmon-parser).\nFeel free to report an issue or send a pull request, use the\n[issue tracker](https://github.com/eronnen/procmon-parser/issues).\n","funding_links":[],"categories":["Other Lists"],"sub_categories":["🛡️ DFIR:"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feronnen%2Fprocmon-parser","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feronnen%2Fprocmon-parser","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feronnen%2Fprocmon-parser/lists"}