win32 - catch events(wmi?)
Tim Golden
mail at timgolden.me.uk
Mon May 3 16:02:36 EDT 2010
On 03/05/2010 12:02 PM, Richard Lamboj wrote:
> i want catch the following events:
> - registry has chanced
> - file has chanced
> - outgoing network connection
> - programm start
>
> and i want to be able to allow, or deny this "requests".
Wow. That's quite a list. To do what you want in general
terms, you're into driver-level code which you're really
not going to be able to do with Python. Windows does
provide certain hooks and events but they're relatively
limited. And the final requirement of being able to allow
or deny requests is basically what the OS does via security,
so to do it yourself would be quite a large task, methinks.
In principle, you can use WMI events to track some of
the things you've listed. The only one I'd really recommend
is "program[m] start" for which you can see an related example
here:
http://timgolden.me.uk/python/wmi/cookbook.html#run-notepad-wait-until-it-s-closed-and-then-show-its-text
Even there, WMI is polling on your behalf and if programs are
spawning fast enough you'll miss one or more events.
File monitoring *can* be done with the same sort of technique
from within WMI, but don't: it will bring your disk to its
knees. Instead, use the file monitoring APIs, such as:
http://timgolden.me.uk/python/win32_how_do_i/watch_directory_for_changes.html#use_readdirectorychanges
I'm not aware of any technique for monitoring registry use,
altho' a scan of sysinternals (or its ms-owned replacement)
might yield something. And I'm not sure exactly what you
mean by "outgoing network connection": that's really what the
Windows firewall is there for. The firewall does have a WMI
interface, although at this moment I can't remember where it
is, which would enable you to set some things up, but I don't
believe it provides an event/callback mechanism. Might be worth
Googling to see if I'm wrong.
And in all these cases, I'm really only talking about monitoring
usage: you can terminate a process once it's open; you can delete
a file once it's created; you can (possibly) nobble a socket
connection once it's been made, but anything else and you're
doing the Operating System's job for it.
TJG
More information about the Python-list
mailing list