atomicshop 2.12.25__py3-none-any.whl → 2.13.0__py3-none-any.whl

atomicshop/process_poller.py

@@ -5,8 +5,10 @@ from typing import Literal, Union
 
 from .wrappers.pywin32w import wmi_win32process
 from .wrappers.psutilw import psutilw
+from .etws.traces import trace_sysmon_process_creation
 from .basics import list_of_dicts, dicts
 from .process_name_cmd import ProcessNameCmdline
+from .print_api import print_api
 
 
 def get_process_time_tester(
@@ -40,16 +42,24 @@ test = get_process_list.get_processes()
 
 
 class GetProcessList:
+    """
+    The class is responsible for getting the list of running processes.
+
+    Example of one time polling with 'pywin32' method:
+    from atomicshop import process_poller
+    process_list: dict = \
+        process_poller.GetProcessList(get_method='pywin32', connect_on_init=True).get_processes(as_dict=True)
+    """
     def __init__(
             self,
-            get_method: Literal['psutil', 'pywin32', 'process_dll'] = 'process_dll',
+            get_method: Literal['psutil', 'pywin32', 'process_dll', 'sysmon_etw'] = 'process_dll',
             connect_on_init: bool = False
     ):
         """
         :param get_method: str, The method to get the list of processes. Default is 'process_list_dll'.
             'psutil': Get the list of processes by 'psutil' library. Resource intensive and slow.
             'pywin32': Get the list of processes by 'pywin32' library, using WMI. Not resource intensive, but slow.
-            'process_dll'. Not resource intensive and fast. Probably works only in Windows 10 x64
+            'process_dll'. Not resource intensive and fast. Probably works only in Windows 10 x64.
         :param connect_on_init: bool, if True, will connect to the service on init. 'psutil' don't need to connect.
         """
         self.get_method = get_method
@@ -86,7 +96,7 @@ class GetProcessList:
         """
         The function will get the list of opened processes and return it as a list of dicts.
 
-        :return: list of dicts, of opened processes.
+        :return: dict while key is pid or list of dicts, of opened processes (depending on 'as_dict' setting).
         """
 
         if as_dict:
@@ -132,19 +142,14 @@ class ProcessPollerPool:
     Later, I'll find a solution to make it more efficient.
     """
     def __init__(
-            self, store_cycles: int = 200,
+            self,
             interval_seconds: Union[int, float] = 0,
             operation: Literal['thread', 'process'] = 'thread',
-            poller_method: Literal['psutil', 'pywin32', 'process_dll'] = 'process_dll',
+            poller_method: Literal['psutil', 'pywin32', 'process_dll', 'sysmon_etw'] = 'sysmon_etw',
+            sysmon_etw_session_name: str = None,
+            sysmon_directory: str = None
     ):
         """
-        :param store_cycles: int, how many cycles to store. Each cycle is polling processes.
-            Example: Specifying 3 will store last 3 polled cycles of processes.
-
-            Default is 200, which means that 200 latest cycles original PIDs and their process names will be stored.
-
-            You can execute the 'get_process_time_tester' function in order to find the optimal number of cycles
-            and how much time it will take.
         :param interval_seconds: float, how many seconds to wait between each cycle.
             Default is 0, which means that the polling will be as fast as possible.
 
@@ -162,6 +167,18 @@ class ProcessPollerPool:
             'psutil': Get the list of processes by 'psutil' library. Resource intensive and slow.
             'pywin32': Get the list of processes by 'pywin32' library, using WMI. Not resource intensive, but slow.
             'process_dll'. Not resource intensive and fast. Probably works only in Windows 10 x64.
+            'sysmon_etw': Get the list of processes with running SysMon by ETW - Event Tracing for Windows.
+                In this case 'store_cycles' and 'interval_seconds' are irrelevant, since the ETW is real-time.
+                Steps we take:
+                    1. Check if SysMon is Running. If not, check if the executable exists in specified
+                        location and start it as a service.
+                    2. Start the "Microsoft-Windows-Sysmon" ETW session.
+                    3. Take a snapshot of current processes and their CMDs with psutil and store it in a dict.
+                    4. Each new process creation from ETW updates the dict.
+        :param sysmon_etw_session_name: str, only for 'sysmon_etw' get_method.
+            The name of the ETW session for tracing process creation.
+        :param sysmon_directory: str, only for 'sysmon_etw' get_method.
+            The directory where the SysMon executable is located. If non-existed will be downloaded.
         ---------------------------------------------
         If there is an exception, ProcessPollerPool.processes will be set to the exception.
         While getting the processes you can use this to execute the exception:
@@ -172,20 +189,20 @@ class ProcessPollerPool:
             raise processes
         """
 
-        self.store_cycles: int = store_cycles
         self.interval_seconds: float = interval_seconds
         self.operation: str = operation
         self.poller_method = poller_method
-
-        self.get_processes_list = GetProcessList(get_method=self.poller_method)
+        self.sysmon_etw_session_name: str = sysmon_etw_session_name
+        self.sysmon_directory: str = sysmon_directory
 
         # Current process pool.
-        self.processes: dict = dict()
+        self._processes: dict = dict()
 
         # The variable is responsible to stop the thread if it is running.
-        self.running: bool = False
+        self._running: bool = False
 
-        self.queue = multiprocessing.Queue()
+        self._process_queue = multiprocessing.Queue()
+        self._running_state_queue = multiprocessing.Queue()
 
     def start(self):
         if self.operation == 'thread':
@@ -195,66 +212,116 @@ class ProcessPollerPool:
         else:
             raise ValueError(f'Invalid operation type [{self.operation}]')
 
-    def stop(self):
-        self.running = False
-
-    def _start_thread(self):
-        self.running = True
-        # threading.Thread(target=self._worker, args=(self.process_polling_instance,)).start()
-        thread = threading.Thread(target=self._worker)
+        thread = threading.Thread(target=self._thread_get_queue)
         thread.daemon = True
         thread.start()
 
-    def _start_process(self):
-        self.running = True
-        multiprocessing.Process(target=self._worker).start()
+    def stop(self):
+        self._running = False
+        self._running_state_queue.put(False)
 
-        thread = threading.Thread(target=self._thread_get_queue)
+    def get_processes(self):
+        return self._processes
+
+    def _start_thread(self):
+        self._running = True
+
+        thread = threading.Thread(
+            target=_worker, args=(
+                self.poller_method, self._running_state_queue, self.interval_seconds,
+                self._process_queue, self.sysmon_etw_session_name, self.sysmon_directory,
+            )
+        )
         thread.daemon = True
         thread.start()
 
-    def _worker(self):
-        # We must initiate the connection inside the thread/process, because it is not thread-safe.
-        self.get_processes_list.connect()
-
-        exception = None
-        list_of_processes: list = list()
-        while self.running:
-            try:
-                # If the list is full (to specified 'store_cycles'), remove the first element.
-                if len(list_of_processes) == self.store_cycles:
-                    del list_of_processes[0]
-
-                # Get the current processes and reinitialize the instance of the dict.
-                current_processes: dict = dict(self.get_processes_list.get_processes())
+    def _start_process(self):
+        self._running = True
+        multiprocessing.Process(
+            target=_worker, args=(
+                self.poller_method, self._running_state_queue, self.interval_seconds,
+                self._process_queue, self.sysmon_etw_session_name, self.sysmon_directory,
+            )).start()
 
-                # Remove Command lines that contains only numbers, since they are useless.
-                for pid, process_info in current_processes.items():
-                    if process_info['cmdline'].isnumeric():
-                        current_processes[pid]['cmdline'] = str()
-                    elif process_info['cmdline'] == 'Error':
-                        current_processes[pid]['cmdline'] = str()
+    def _thread_get_queue(self):
+        while True:
+            self._processes = self._process_queue.get()
 
-                # Append the current processes to the list.
-                list_of_processes.append(current_processes)
 
-                # Merge all dicts in the list to one dict, updating with most recent PIDs.
-                self.processes = list_of_dicts.merge_to_dict(list_of_processes)
+def _worker(
+        poller_method, running_state_queue, interval_seconds, process_queue, sysmon_etw_session_name, sysmon_directory):
+    def _worker_to_get_running_state():
+        nonlocal running_state
+        running_state = running_state_queue.get()
 
-                if self.operation == 'process':
-                    self.queue.put(self.processes)
+    running_state: bool = True
 
-                time.sleep(self.interval_seconds)
-            except KeyboardInterrupt as e:
-                self.running = False
-                exception = e
-            except Exception as e:
-                self.running = False
-                exception = e
+    thread = threading.Thread(target=_worker_to_get_running_state)
+    thread.daemon = True
+    thread.start()
 
-        if not self.running:
-            self.queue.put(exception)
+    if poller_method == 'sysmon_etw':
+        poller_instance = trace_sysmon_process_creation.SysmonProcessCreationTrace(
+            attrs=['pid', 'original_file_name', 'command_line'],
+            session_name=sysmon_etw_session_name,
+            close_existing_session_name=True,
+            sysmon_directory=sysmon_directory
+        )
 
-    def _thread_get_queue(self):
-        while True:
-            self.processes = self.queue.get()
+        # We must initiate the connection inside the thread/process, because it is not thread-safe.
+        poller_instance.start()
+
+        processes = GetProcessList(get_method='pywin32', connect_on_init=True).get_processes(as_dict=True)
+        process_queue.put(processes)
+    else:
+        poller_instance = GetProcessList(get_method=poller_method)
+        poller_instance.connect()
+        processes = {}
+
+    exception = None
+    list_of_processes: list = list()
+    while running_state:
+        try:
+            if poller_method == 'sysmon_etw':
+                # Get the current processes and reinitialize the instance of the dict.
+                current_cycle: dict = poller_instance.emit()
+                current_processes: dict = {int(current_cycle['pid']): {
+                    'name': current_cycle['original_file_name'],
+                    'cmdline': current_cycle['command_line']}
+                }
+            else:
+                # Get the current processes and reinitialize the instance of the dict.
+                current_processes: dict = dict(poller_instance.get_processes())
+
+            # Remove Command lines that contains only numbers, since they are useless.
+            for pid, process_info in current_processes.items():
+                if process_info['cmdline'].isnumeric():
+                    current_processes[pid]['cmdline'] = str()
+                elif process_info['cmdline'] == 'Error':
+                    current_processes[pid]['cmdline'] = str()
+
+            # This loop is essential for keeping the command lines.
+            # When the process unloads from memory, the last polling will have only pid and executable name, but not
+            # the command line. This loop will keep the command line from the previous polling if this happens.
+            for pid, process_info in current_processes.items():
+                if pid in processes:
+                    if processes[pid]['name'] == current_processes[pid]['name']:
+                        if current_processes[pid]['cmdline'] == '':
+                            current_processes[pid]['cmdline'] = processes[pid]['cmdline']
+            processes.update(current_processes)
+
+            process_queue.put(processes)
+
+            # Since ETW is a blocking operation, we don't need to sleep.
+            if poller_method != 'sysmon_etw':
+                time.sleep(interval_seconds)
+        except KeyboardInterrupt as e:
+            running_state = False
+            exception = e
+        except Exception as e:
+            running_state = False
+            exception = e
+            print_api(f'Exception in ProcessPollerPool: {e}', color='red')
+
+    if not running_state:
+        process_queue.put(exception)

atomicshop/wrappers/ctyping/etw_winapi/const.py

@@ -10,6 +10,16 @@ WNODE_FLAG_TRACED_GUID = 0x00020000
 MAXIMUM_LOGGERS = 64
 
 
+"""
+wintypes.DWORD = wintypes.ULONG = ctypes.c_ulong: 32-bit unsigned integer
+wintypes.WORD = wintypes.USHORT = ctypes.c_ushort: 16-bit unsigned integer
+wintypes.BYTE = ctypes.c_ubyte: 8-bit unsigned integer
+wintypes.LARGE_INTEGER is a structure (or union in C terms), can represent both signed and unsigned 
+    64-bit values depending on context.
+ctypes.c_ulonglong is a simple data type representing an unsigned 64-bit integer.
+"""
+
+
 # Define GUID structure
 class GUID(ctypes.Structure):
     _fields_ = [
@@ -60,6 +70,65 @@ class EVENT_TRACE_PROPERTIES(ctypes.Structure):
     ]
 
 
+# Define the EVENT_TRACE_LOGFILE structure
+class EVENT_TRACE_LOGFILE(ctypes.Structure):
+    _fields_ = [
+        ("LogFileName", wintypes.LPWSTR),
+        ("LoggerName", wintypes.LPWSTR),
+        ("CurrentTime", wintypes.LARGE_INTEGER),
+        ("BuffersRead", wintypes.ULONG),
+        ("ProcessTraceMode", wintypes.ULONG),
+        ("EventRecordCallback", wintypes.LPVOID),
+        ("BufferSize", wintypes.ULONG),
+        ("Filled", wintypes.ULONG),
+        ("EventsLost", wintypes.ULONG),
+        ("BuffersLost", wintypes.ULONG),
+        ("RealTimeBuffersLost", wintypes.ULONG),
+        ("LogBuffersLost", wintypes.ULONG),
+        ("BuffersWritten", wintypes.ULONG),
+        ("LogFileMode", wintypes.ULONG),
+        ("IsKernelTrace", wintypes.ULONG),
+        ("Context", wintypes.ULONG)  # Placeholder for context pointer
+    ]
+
+
+# Define the EVENT_TRACE_HEADER structure
+class EVENT_TRACE_HEADER(ctypes.Structure):
+    _fields_ = [
+        ("Size", wintypes.USHORT),
+        ("FieldTypeFlags", wintypes.USHORT),
+        ("Version", wintypes.USHORT),
+        ("Class", wintypes.USHORT),  # EVENT_TRACE_CLASS
+        ("Type", ctypes.c_ubyte),
+        ("Level", ctypes.c_ubyte),
+        ("Channel", ctypes.c_ubyte),
+        ("Flags", ctypes.c_ubyte),
+        ("InstanceId", wintypes.USHORT),
+        ("ParentInstanceId", wintypes.USHORT),
+        ("ParentGuid", GUID),
+        ("Timestamp", wintypes.LARGE_INTEGER),
+        ("Guid", GUID),
+        ("ProcessorTime", wintypes.ULONG),
+        ("ThreadId", wintypes.ULONG),
+        ("ProcessId", wintypes.ULONG),
+        ("KernelTime", wintypes.ULONG),
+        ("UserTime", wintypes.ULONG),
+    ]
+
+
+# Define the EVENT_RECORD structure
+class EVENT_RECORD(ctypes.Structure):
+    _fields_ = [
+        ("EventHeader", EVENT_TRACE_HEADER),
+        ("BufferContext", wintypes.ULONG),
+        ("ExtendedDataCount", wintypes.USHORT),
+        ("UserDataLength", wintypes.USHORT),
+        ("ExtendedData", wintypes.LPVOID),
+        ("UserData", wintypes.LPVOID),
+        ("UserContext", wintypes.LPVOID)
+    ]
+
+
 class PROVIDER_ENUMERATION_INFO(ctypes.Structure):
     _fields_ = [
         ("NumberOfProviders", ULONG),
@@ -92,3 +161,15 @@ QueryAllTraces.argtypes = [
     ctypes.POINTER(wintypes.ULONG)
 ]
 QueryAllTraces.restype = wintypes.ULONG
+
+OpenTrace = advapi32.OpenTraceW
+OpenTrace.argtypes = [ctypes.POINTER(EVENT_TRACE_LOGFILE)]
+OpenTrace.restype = wintypes.ULONG
+
+ProcessTrace = advapi32.ProcessTrace
+ProcessTrace.argtypes = [ctypes.POINTER(wintypes.ULONG), wintypes.ULONG, wintypes.LARGE_INTEGER, wintypes.LARGE_INTEGER]
+ProcessTrace.restype = wintypes.ULONG
+
+CloseTrace = advapi32.CloseTrace
+CloseTrace.argtypes = [wintypes.ULONG]
+CloseTrace.restype = wintypes.ULONG

atomicshop/wrappers/loggingw/reading.py

@@ -6,10 +6,6 @@ from ... import filesystem, datetimes
 from ...file_io import csvs
 
 
-READING_EXISTING_LINES: list = []
-EXISTING_LOGS_FILE_COUNT: int = 0
-
-
 def get_logs_paths(
         log_files_directory_path: str = None,
         log_file_path: str = None,
@@ -212,31 +208,10 @@ def get_logs(
     return logs_content
 
 
-def get_latest_lines(
-        log_file_path: str,
-        date_pattern: str = None,
-        log_type: Literal['csv'] = 'csv',
-        get_previous_file: bool = False,
-        header: list = None
-) -> tuple:
+class LogReader:
     """
-    This function gets the latest lines from the log file.
+    This class gets the latest lines from the log file.
 
-    :param log_file_path: Path to the log file.
-    :param date_pattern: Pattern to match the date in the log file name.
-        If specified, the function will get the log file by the date pattern.
-        If not specified, the function will get the file date by file last modified time.
-    :param log_type: Type of log to get.
-    :param get_previous_file: Boolean, if True, the function will get the previous log file.
-        For example, your log is set to rotate every Midnight.
-        Meaning, once the day will change, the function will get the log file from the previous day in the third entry
-        of the return tuple. This happens only once each 24 hours. Not from the time the function was called, but from
-        the time the day changed.
-    :param header: List of strings that will be the header of the CSV file. Default is 'None'.
-        None: the header from the CSV file will be used. The first row of the CSV file will be the header.
-            Meaning, that the first line will be skipped and the second line will be the first row of the content.
-        List: the list will be used as header.
-            All the lines of the CSV file will be considered as content.
     return: List of new lines.
 
     Usage:
@@ -246,14 +221,15 @@ def get_latest_lines(
         # The header of the log file will be read from the first iteration of the log file.
         # When the file is rotated, this header will be used to not read the header again.
         header: Union[list, None] = None
+        log_reader = reading.LogReader(
+            log_file_path='/path/to/log.csv',
+            log_type='csv',
+            date_pattern='%Y_%m_%d',
+            get_previous_file=True,
+            header=header
+        )
         while True:
-            latest_lines, previous_day_24h_lines, header = reading.get_latest_lines(
-                log_file_path='/path/to/log.csv',
-                log_type='csv',
-                date_pattern='%Y_%m_%d',
-                get_previous_file=True,
-                header=header
-            )
+            latest_lines, previous_day_24h_lines, header = log_reader.get_latest_lines(header=header)
 
             if latest_lines:
                 # Do something with the new lines.
@@ -262,91 +238,132 @@ def get_latest_lines(
                 # Do something with the last 24 hours lines. Reminder, this will happen once a day on log rotation.
 
             time.sleep(1)
-    """
-
-    def extract_new_lines_only(content_lines: list):
+        """
+
+    def __init__(
+            self,
+            log_file_path: str,
+            date_pattern: str = None,
+            log_type: Literal['csv'] = 'csv',
+            get_previous_file: bool = False,
+            header: list = None
+    ):
+        """
+        :param log_file_path: Path to the log file.
+        :param date_pattern: Pattern to match the date in the log file name.
+            If specified, the function will get the log file by the date pattern.
+            If not specified, the function will get the file date by file last modified time.
+        :param log_type: Type of log to get.
+        :param get_previous_file: Boolean, if True, the function will get the previous log file.
+            For example, your log is set to rotate every Midnight.
+            Meaning, once the day will change, the function will get the log file from the previous day in the third entry
+            of the return tuple. This happens only once each 24 hours. Not from the time the function was called, but from
+            the time the day changed.
+        :param header: List of strings that will be the header of the CSV file. Default is 'None'.
+            None: the header from the CSV file will be used. The first row of the CSV file will be the header.
+                Meaning, that the first line will be skipped and the second line will be the first row of the content.
+            List: the list will be used as header.
+                All the lines of the CSV file will be considered as content.
+        """
+
+        self.log_file_path: str = log_file_path
+        self.date_pattern: str = date_pattern
+        self.log_type: Literal['csv'] = log_type
+        self.get_previous_file: bool = get_previous_file
+        self.header: list = header
+
+        self._reading_existing_lines: list = []
+        self._existing_logs_file_count: int = 0
+
+    def _extract_new_lines_only(self, content_lines: list):
         new_lines: list = []
         for row in content_lines:
             # If the row is not in the existing lines, then add it to the new lines.
-            if row not in READING_EXISTING_LINES:
+            if row not in self._reading_existing_lines:
                 new_lines.append(row)
 
         if new_lines:
-            READING_EXISTING_LINES.extend(new_lines)
+            self._reading_existing_lines.extend(new_lines)
 
         return new_lines
 
-    global EXISTING_LOGS_FILE_COUNT
+    def get_latest_lines(self, header: list = None) -> tuple:
+        if header:
+            self.header = header
 
-    # If the existing logs file count is 0, it means that this is the first check. We need to get the current count.
-    if EXISTING_LOGS_FILE_COUNT == 0:
-        EXISTING_LOGS_FILE_COUNT = len(get_logs_paths(
-            log_file_path=log_file_path,
-            log_type='csv'
-        ))
+        # If the existing logs file count is 0, it means that this is the first check. We need to get the current count.
+        if self._existing_logs_file_count == 0:
+            self._existing_logs_file_count = len(get_logs_paths(
+                log_file_path=self.log_file_path,
+                log_type='csv'
+            ))
 
-        # If the count is still 0, then there are no logs to read.
-        if EXISTING_LOGS_FILE_COUNT == 0:
-            return [], [], header
+            # If the count is still 0, then there are no logs to read.
+            if self._existing_logs_file_count == 0:
+                return [], [], self.header
 
-    if log_type != 'csv':
-        raise ValueError('Only "csv" log type is supported.')
+        if self.log_type != 'csv':
+            raise ValueError('Only "csv" log type is supported.')
 
-    previous_file_lines: list = []
+        previous_file_lines: list = []
 
-    # Get the latest statistics file path.
-    latest_statistics_file_path_object = get_logs_paths(
-        log_file_path=log_file_path,
-        date_pattern=date_pattern,
-        log_type='csv',
-        latest_only=True
-    )
-
-    latest_statistics_file_path: str = latest_statistics_file_path_object[0]['file_path']
-
-    # Get the previous day statistics file path.
-    previous_day_statistics_file_path: Union[str, None] = None
-    try:
-        previous_day_statistics_file_path = get_logs_paths(
-            log_file_path=log_file_path,
-            date_pattern=date_pattern,
+        # Get the latest statistics file path.
+        latest_statistics_file_path_object = get_logs_paths(
+            log_file_path=self.log_file_path,
+            date_pattern=self.date_pattern,
             log_type='csv',
-            previous_day_only=True
-        )[0]['file_path']
-    # If you get IndexError, it means that there are no previous day logs to read.
-    except IndexError:
-        pass
-
-    # Count all the rotated files.
-    current_log_files_count: int = len(get_logs_paths(
-        log_file_path=log_file_path,
-        log_type='csv'
-    ))
+            latest_only=True
+        )
+
+        # # If there are no logs to read, return empty lists.
+        # if not latest_statistics_file_path_object:
+        #     return [], [], self.header
+
+        latest_statistics_file_path: str = latest_statistics_file_path_object[0]['file_path']
+
+        # Get the previous day statistics file path.
+        previous_day_statistics_file_path: Union[str, None] = None
+        try:
+            previous_day_statistics_file_path = get_logs_paths(
+                log_file_path=self.log_file_path,
+                date_pattern=self.date_pattern,
+                log_type='csv',
+                previous_day_only=True
+            )[0]['file_path']
+        # If you get IndexError, it means that there are no previous day logs to read.
+        except IndexError:
+            pass
+
+        # Count all the rotated files.
+        current_log_files_count: int = len(get_logs_paths(
+            log_file_path=self.log_file_path,
+            log_type='csv'
+        ))
 
-    # If the count of the log files is greater than the existing logs file count, it means that the rotation happened.
-    # We will read the previous day statistics file.
-    new_lines_from_previous_file: list = []
-    if current_log_files_count > EXISTING_LOGS_FILE_COUNT:
-        current_lines, header = csvs.read_csv_to_list_of_dicts_by_header(
-            previous_day_statistics_file_path, header=header, stdout=False)
+        # If the count of the log files is greater than the existing logs file count, it means that the rotation
+        # happened. We will read the previous day statistics file.
+        new_lines_from_previous_file: list = []
+        if current_log_files_count > self._existing_logs_file_count:
+            current_lines, self.header = csvs.read_csv_to_list_of_dicts_by_header(
+                previous_day_statistics_file_path, header=self.header, stdout=False)
 
-        if get_previous_file:
-            previous_file_lines = current_lines
+            if self.get_previous_file:
+                previous_file_lines = current_lines
 
-        EXISTING_LOGS_FILE_COUNT = current_log_files_count
+            self._existing_logs_file_count = current_log_files_count
 
-        new_lines_from_previous_file = extract_new_lines_only(current_lines)
+            new_lines_from_previous_file = self._extract_new_lines_only(current_lines)
 
-        # empty the previous file lines, since the file is rotated.
-        READING_EXISTING_LINES.clear()
+            # empty the previous file lines, since the file is rotated.
+            self._reading_existing_lines.clear()
 
-    current_lines, header = csvs.read_csv_to_list_of_dicts_by_header(
-        latest_statistics_file_path, header=header, stdout=False)
+        current_lines, self.header = csvs.read_csv_to_list_of_dicts_by_header(
+            latest_statistics_file_path, header=self.header, stdout=False)
 
-    new_lines = extract_new_lines_only(current_lines)
+        new_lines = self._extract_new_lines_only(current_lines)
 
-    # If we have new lines from the previous file, we will add the new lines from the latest file.
-    if new_lines_from_previous_file:
-        new_lines = new_lines_from_previous_file + new_lines
+        # If we have new lines from the previous file, we will add the new lines from the latest file.
+        if new_lines_from_previous_file:
+            new_lines = new_lines_from_previous_file + new_lines
 
-    return new_lines, previous_file_lines, header
+        return new_lines, previous_file_lines, self.header

atomicshop/wrappers/psutilw/psutilw.py

@@ -164,6 +164,15 @@ def filter_processes_with_present_connections(processes) -> list:
 
 
 class PsutilProcesses:
+    """
+    Class to get all the current processes.
+
+    Example get current running processes as dicts as
+    {'<pid'>: {'name': '<process_name>', 'cmdline': '<process_cmdline>'}}:
+        from atomicshop.wrappers.psutilw import psutilw
+        processes = psutilw.PsutilProcesses().get_processes_as_dict(
+            attrs=['pid', 'name', 'cmdline'], cmdline_to_string=True)
+    """
     def __init__(self):
         self.processes = None