atomicshop 2.13.1__py3-none-any.whl → 2.14.0__py3-none-any.whl

atomicshop/__init__.py

@@ -1,4 +1,4 @@
 """Atomic Basic functions and classes to make developer life easier"""
 
 __author__ = "Den Kras"
-__version__ = '2.13.1'
+__version__ = '2.14.0'

atomicshop/etws/trace.py

@@ -1,11 +1,21 @@
 import queue
 import sys
+import time
+from typing import Literal
 
 # Import FireEye Event Tracing library.
 import etw
 
 from ..print_api import print_api
 from . import sessions
+from .. import process_poller
+from ..wrappers.psutilw import psutilw
+
+
+PROCESS_POLLER_ETW_DEFAULT_SESSION_NAME: str = 'AtomicShopProcessTrace'
+
+WAIT_FOR_PROCESS_POLLER_PID_SECONDS: int = 3
+WAIT_FOR_PROCESS_POLLER_PID_COUNTS: int = WAIT_FOR_PROCESS_POLLER_PID_SECONDS * 10
 
 
 class EventTrace(etw.ETW):
@@ -15,7 +25,10 @@ class EventTrace(etw.ETW):
             event_callback=None,
             event_id_filters: list = None,
             session_name: str = None,
-            close_existing_session_name: bool = True
+            close_existing_session_name: bool = True,
+            enable_process_poller: bool = False,
+            process_poller_etw_session_name: str = None,
+            process_poller_method: Literal['psutil', 'pywin32', 'process_dll', 'sysmon_etw'] = 'sysmon_etw'
     ):
         """
         :param providers: List of tuples with provider name and provider GUID.
@@ -26,7 +39,19 @@ class EventTrace(etw.ETW):
             The default in the 'etw.ETW' method is 'None'.
         :param session_name: The name of the session to create. If not provided, a UUID will be generated.
         :param close_existing_session_name: Boolean to close existing session names.
+        :param enable_process_poller: Boolean to enable process poller. Gets the process PID, Name and CommandLine.
+            Since the DNS events doesn't contain the process name and command line, only PID.
+            Then DNS events will be enriched with the process name and command line from the process poller.
+        :param process_poller_etw_session_name: The name of the ETW session for tracing process creation.
+        :param process_poller_method: The method to get the process information. For more information, see the
+            'process_poller.ProcessPollerPool' class. Summary:
+                'psutil': Uses 'psutil' library to get the process information.
+                'pywin32': Uses 'pywin32' library to get the process information.
+                'process_dll': Uses 'process' custom DLL to get the process information.
+                'sysmon_etw': Uses 'sysmon_etw' uses sysmon and ETW to get the process information.
+
         ------------------------------------------
+
         You should stop the ETW tracing when you are done with it.
             'pywintrace' module starts a new session for ETW tracing, and it will not stop the session when the script
             exits or exception is raised.
@@ -46,6 +71,8 @@ class EventTrace(etw.ETW):
         """
         self.event_queue = queue.Queue()
         self.close_existing_session_name: bool = close_existing_session_name
+        self.enable_process_poller: bool = enable_process_poller
+        self.process_poller_etw_session_name: str = process_poller_etw_session_name
 
         # If no callback function is provided, we will use the default one, which will put the event in the queue.
         if not event_callback:
@@ -59,12 +86,23 @@ class EventTrace(etw.ETW):
         for provider in providers:
             etw_format_providers.append(etw.ProviderInfo(provider[0], etw.GUID(provider[1])))
 
+        if not process_poller_etw_session_name:
+            process_poller_etw_session_name = PROCESS_POLLER_ETW_DEFAULT_SESSION_NAME
+
+        if self.enable_process_poller:
+            self.process_poller = process_poller.ProcessPollerPool(
+                operation='process', poller_method=process_poller_method,
+                sysmon_etw_session_name=process_poller_etw_session_name)
+
         super().__init__(
             providers=etw_format_providers, event_callback=function_callable, event_id_filters=event_id_filters,
             session_name=session_name
         )
 
     def start(self):
+        if self.enable_process_poller:
+            self.process_poller.start()
+
         # Check if the session name already exists.
         if sessions.is_session_running(self.session_name):
             print_api(f'ETW Session already running: {self.session_name}', color='yellow')
@@ -87,6 +125,9 @@ class EventTrace(etw.ETW):
     def stop(self):
         super().stop()
 
+        if self.enable_process_poller:
+            self.process_poller.stop()
+
     def emit(self):
         """
         The Function will return the next event from the queue.
@@ -104,34 +145,44 @@ class EventTrace(etw.ETW):
         :return: etw event object.
         """
 
-        return self.event_queue.get()
-
-
-def find_sessions_by_provider(provider_name: str):
-    """
-    Find ETW session by provider name.
-
-    :param provider_name: The name of the provider to search for.
-    """
+        # Get the processes first, since we need the process name and command line.
+        # If they're not ready, we will get just pids from DNS tracing.
+        if self.enable_process_poller:
+            self._get_processes_from_poller()
 
-    return
+        event: tuple = self.event_queue.get()
 
+        event_dict: dict = {
+            'event_id': event[0],
+            'event': event[1],
+            'pid': event[1]['EventHeader']['ProcessId']
+        }
 
-def get_all_providers_from_session(session_name: str):
-    """
-    Get all providers that ETW session uses.
+        if self.enable_process_poller:
+            processes = self.process_poller.get_processes()
+            if event_dict['pid'] not in processes:
+                counter = 0
+                while counter < WAIT_FOR_PROCESS_POLLER_PID_COUNTS:
+                    processes = self.process_poller.get_processes()
+                    if event_dict['pid'] not in processes:
+                        time.sleep(0.1)
+                        counter += 1
+                    else:
+                        break
 
-    :param session_name: The name of the session to get providers from.
-    """
+                if counter == WAIT_FOR_PROCESS_POLLER_PID_COUNTS:
+                    print_api(f"Error: Couldn't get the process name for PID: {event_dict['pid']}.", color='red')
 
-    return
+            event_dict = psutilw.cross_single_connection_with_processes(event_dict, processes)
 
+        return event_dict
 
-def stop_session_by_name(session_name: str):
-    """
-    Stop ETW session by name.
+    def _get_processes_from_poller(self):
+        processes: dict = {}
+        while not processes:
+            processes = self.process_poller.get_processes()
 
-    :param session_name: The name of the session to stop.
-    """
+            if isinstance(processes, BaseException):
+                raise processes
 
-    return
+        return processes

atomicshop/etws/traces/trace_dns.py

@@ -19,20 +19,15 @@ WAIT_FOR_PROCESS_POLLER_PID_COUNTS: int = WAIT_FOR_PROCESS_POLLER_PID_SECONDS *
 
 
 class DnsRequestResponseTrace:
+    """DnsTrace class use to trace DNS events from Windows Event Tracing for EventId 3008."""
     def __init__(
             self,
             attrs: list = None,
             session_name: str = None,
             close_existing_session_name: bool = True,
-            enable_process_poller: bool = False,
             process_poller_etw_session_name: str = None
     ):
         """
-        DnsTrace class use to trace DNS events from Windows Event Tracing for EventId 3008.
-
-        :param enable_process_poller: Boolean to enable process poller. Gets the process PID, Name and CommandLine,
-            every 100 ms. Since the DNS events doesn't contain the process name and command line, only PID.
-            Then DNS events will be enriched with the process name and command line from the process poller.
         :param attrs: List of attributes to return. If None, all attributes will be returned.
         :param session_name: The name of the session to create. If not provided, a UUID will be generated.
         :param close_existing_session_name: Boolean to close existing session names.
@@ -63,7 +58,6 @@ class DnsRequestResponseTrace:
             dns_trace_w.stop()
         """
 
-        self.enable_process_poller = enable_process_poller
         self.attrs = attrs
 
         if not session_name:
@@ -74,26 +68,17 @@ class DnsRequestResponseTrace:
             # lambda x: self.event_queue.put(x),
             event_id_filters=[REQUEST_RESP_EVENT_ID],
             session_name=session_name,
-            close_existing_session_name=close_existing_session_name
+            close_existing_session_name=close_existing_session_name,
+            enable_process_poller=True,
+            process_poller_etw_session_name=process_poller_etw_session_name
         )
 
-        if self.enable_process_poller:
-            self.process_poller = ProcessPollerPool(
-                operation='process', poller_method='sysmon_etw',
-                sysmon_etw_session_name=process_poller_etw_session_name)
-
     def start(self):
-        if self.enable_process_poller:
-            self.process_poller.start()
-
         self.event_trace.start()
 
     def stop(self):
         self.event_trace.stop()
 
-        if self.enable_process_poller:
-            self.process_poller.stop()
-
     def emit(self):
         """
         Function that will return the next event from the queue.
@@ -107,29 +92,26 @@ class DnsRequestResponseTrace:
         :return: Dictionary with the event data.
         """
 
-        # Get the processes first, since we need the process name and command line.
-        # If they're not ready, we will get just pids from DNS tracing.
-        if self.enable_process_poller:
-            self._get_processes_from_poller()
-
         event = self.event_trace.emit()
 
         event_dict: dict = {
-            'pid': event[1]['EventHeader']['ProcessId'],
-            'etw_id': event[0],
-            'domain': event[1]['QueryName'],
-            'query_type_id': str(event[1]['QueryType']),
-            'query_type': dns.TYPES_DICT[str(event[1]['QueryType'])]
+            'event_id': event['event_id'],
+            'domain': event['event']['QueryName'],
+            'query_type_id': str(event['event']['QueryType']),
+            'query_type': dns.TYPES_DICT[str(event['event']['QueryType'])],
+            'pid': event['pid'],
+            'name': event['name'],
+            'cmdline': event['cmdline']
         }
 
         # Defining list if ips and other answers, which aren't IPs.
         list_of_ips = list()
         list_of_other_domains = list()
         # Parse DNS results, only if 'QueryResults' key isn't empty, since many of the events are, mostly due errors.
-        if event[1]['QueryResults']:
+        if event['event']['QueryResults']:
             # 'QueryResults' key contains a string with all the 'Answers' divided by type and ';' character.
             # Basically, we can parse each type out of string, but we need only IPs and other answers.
-            list_of_parameters = event[1]['QueryResults'].split(';')
+            list_of_parameters = event['event']['QueryResults'].split(';')
 
             # Iterating through all the parameters that we got from 'QueryResults' key.
             for parameter in list_of_parameters:
@@ -149,47 +131,17 @@ class DnsRequestResponseTrace:
         event_dict['other_domains'] = list_of_other_domains
 
         # Getting the 'QueryStatus' key.
-        event_dict['status_id'] = event[1]['QueryStatus']
+        event_dict['status_id'] = event['event']['QueryStatus']
 
         # Getting the 'QueryStatus' key. If DNS Query Status is '0' then it was executed successfully.
         # And if not, it means there was an error. The 'QueryStatus' indicate what number of an error it is.
-        if event[1]['QueryStatus'] == '0':
+        if event['event']['QueryStatus'] == '0':
             event_dict['status'] = 'Success'
         else:
             event_dict['status'] = 'Error'
 
-        if self.enable_process_poller:
-            processes = self.process_poller.get_processes()
-            if event_dict['pid'] not in processes:
-                counter = 0
-                while counter < WAIT_FOR_PROCESS_POLLER_PID_COUNTS:
-                    processes = self.process_poller.get_processes()
-                    if event_dict['pid'] not in processes:
-                        time.sleep(0.1)
-                        counter += 1
-                    else:
-                        break
-
-                if counter == WAIT_FOR_PROCESS_POLLER_PID_COUNTS:
-                    print_api(f"Error: Couldn't get the process name for PID: {event_dict['pid']}.", color='red')
-
-            event_dict = psutilw.cross_single_connection_with_processes(event_dict, processes)
-            # If it was impossible to get the process name from the process poller, get it from psutil.
-            # if event_dict['name'].isnumeric():
-            #     event_dict['name'] = process_name
-
         if self.attrs:
             event_dict = dicts.reorder_keys(
                 event_dict, self.attrs, skip_keys_not_in_list=True)
 
         return event_dict
-
-    def _get_processes_from_poller(self):
-        processes: dict = {}
-        while not processes:
-            processes = self.process_poller.get_processes()
-
-            if isinstance(processes, BaseException):
-                raise processes
-
-        return processes

atomicshop/etws/traces/trace_sysmon_process_creation.py

@@ -1,8 +1,6 @@
 from .. import trace, const
-from ...wrappers.psutilw import psutilw
 from ...wrappers import sysmonw
 from ...basics import dicts
-from ...print_api import print_api
 
 
 PROVIDER_NAME: str = const.ETW_SYSMON['provider_name']
@@ -87,26 +85,26 @@ class SysmonProcessCreationTrace:
         event = self.event_trace.emit()
 
         event_dict: dict = {
-            'etw_id': event[0],
-            'pid': event[1]['ProcessId'],
-            'process_guid': event[1]['ProcessGuid'],
-            'image': event[1]['Image'],
-            'file_version': event[1]['FileVersion'],
-            'product': event[1]['Product'],
-            'company': event[1]['Company'],
-            'original_file_name': event[1]['OriginalFileName'],
-            'command_line': event[1]['CommandLine'],
-            'current_directory': event[1]['CurrentDirectory'],
-            'user': event[1]['User'],
-            'logon_id': event[1]['LogonId'],
-            'logon_guid': event[1]['LogonGuid'],
-            'terminal_session_id': event[1]['TerminalSessionId'],
-            'integrity_level': event[1]['IntegrityLevel'],
-            'hashes': event[1]['Hashes'],
-            'parent_process_guid': event[1]['ParentProcessGuid'],
-            'parent_process_id': event[1]['ParentProcessId'],
-            'parent_image': event[1]['ParentImage'],
-            'parent_command_line': event[1]['ParentCommandLine']
+            'event_id': event['event_id'],
+            'pid': event['event']['ProcessId'],
+            'process_guid': event['event']['ProcessGuid'],
+            'image': event['event']['Image'],
+            'file_version': event['event']['FileVersion'],
+            'product': event['event']['Product'],
+            'company': event['event']['Company'],
+            'original_file_name': event['event']['OriginalFileName'],
+            'command_line': event['event']['CommandLine'],
+            'current_directory': event['event']['CurrentDirectory'],
+            'user': event['event']['User'],
+            'logon_id': event['event']['LogonId'],
+            'logon_guid': event['event']['LogonGuid'],
+            'terminal_session_id': event['event']['TerminalSessionId'],
+            'integrity_level': event['event']['IntegrityLevel'],
+            'hashes': event['event']['Hashes'],
+            'parent_process_guid': event['event']['ParentProcessGuid'],
+            'parent_process_id': event['event']['ParentProcessId'],
+            'parent_image': event['event']['ParentImage'],
+            'parent_command_line': event['event']['ParentCommandLine']
         }
 
         if self.attrs:

atomicshop/monitor/checks/dns.py

@@ -28,7 +28,6 @@ class DnsCheck:
                 attrs=['name', 'cmdline', 'domain', 'query_type'],
                 session_name=self.etw_session_name,
                 close_existing_session_name=True,
-                enable_process_poller=True,
                 process_poller_etw_session_name=change_monitor_instance.etw_process_session_name
             )
         )

atomicshop/process_poller.py

@@ -6,7 +6,7 @@ from typing import Literal, Union
 from .wrappers.pywin32w import wmi_win32process
 from .wrappers.psutilw import psutilw
 from .etws.traces import trace_sysmon_process_creation
-from .basics import list_of_dicts, dicts
+from .basics import dicts
 from .process_name_cmd import ProcessNameCmdline
 from .print_api import print_api
 
@@ -322,6 +322,7 @@ def _worker(
             running_state = False
             exception = e
             print_api(f'Exception in ProcessPollerPool: {e}', color='red')
+            raise
 
     if not running_state:
         process_queue.put(exception)

atomicshop/wrappers/pywin32w/win_event_log/subscribe.py

@@ -0,0 +1,149 @@
+import win32evtlog
+import xml.etree.ElementTree as Et
+import time
+import threading
+import queue
+from typing import Union
+
+
+class EventLogSubscriber:
+    """
+    Class for subscribing to Windows Event Log events.
+
+    Usage:
+        from atomicshop.wrappers.pywin32w.win_event_log import subscribe
+
+        event_log_subscriber = subscribe.EventLogSubscriber('Security', 4688)
+        event_log_subscriber.start()
+
+        while True:
+            event = event_log_subscriber.emit()
+            print(event)
+    """
+    def __init__(self, log_channel: str, event_id: int):
+        """
+        :param log_channel: The name of the event log channel to subscribe to. Examples:
+            Security, System, Application, etc.
+        :param event_id: The ID of the event to subscribe to.
+            Example: 4688 for process creation events in "Security" channel.
+        """
+        self.log_channel: str = log_channel
+        self.event_id: str = str(event_id)
+
+        self._event_queue = queue.Queue()
+        self._subscription_thread = None
+
+    def start(self):
+        """Start the subscription process."""
+        self._subscription_thread = threading.Thread(
+            target=start_subscription, args=(self.log_channel, self.event_id, self._event_queue)
+        )
+        self._subscription_thread.daemon = True
+        self._subscription_thread.start()
+
+    def stop(self):
+        """Stop the subscription process."""
+        if self._subscription_thread:
+            self._subscription_thread.join()
+            self._subscription_thread = None
+
+    def emit(self, timeout: float = None) -> Union[dict, None]:
+        """
+        Get the next event from the event queue.
+
+        :param timeout: The maximum time (in seconds) to wait for an event.
+            If None, the function will block until an event is available.
+        :return: A dictionary containing the event data, or None if no event is available.
+        """
+        try:
+            return self._event_queue.get(timeout=timeout)
+        except queue.Empty:
+            return None
+
+
+def _parse_event_xml(event_xml):
+    root = Et.fromstring(event_xml)
+    data = {}
+    for elem in root.iter():
+        if 'Name' in elem.attrib:
+            data[elem.attrib['Name']] = elem.text
+    return data
+
+
+def _handle_event(event, event_queue):
+    event_xml = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
+    try:
+        data = _parse_event_xml(event_xml)
+    except Et.ParseError as e:
+        print(f"Error parsing event XML: {e}")
+        return
+
+    event_dict: dict = {
+        'user_sid': data.get("SubjectUserSid", "Unknown"),
+        'user_name': data.get("SubjectUserName", "Unknown"),
+        'domain': data.get("SubjectDomainName", "Unknown"),
+        'pid_hex': data.get("NewProcessId", "0"),
+        'process_name': data.get("NewProcessName", "Unknown"),
+        'command_line': data.get("CommandLine", None),
+        'parent_pid_hex': data.get("ProcessId", "0"),
+        'parent_process_name': data.get("ParentProcessName", "Unknown")
+    }
+
+    try:
+        process_id = int(event_dict['pid_hex'], 16)
+    except ValueError:
+        process_id = "Unknown"
+
+    try:
+        parent_pid = int(event_dict['parent_pid_hex'], 16)
+    except ValueError:
+        parent_pid = "Unknown"
+
+    event_dict['pid'] = process_id
+    event_dict['parent_pid'] = parent_pid
+
+    # if user_sid != "Unknown":
+    #     try:
+    #         user_name, domain, type = win32security.LookupAccountSid(None, user_sid)
+    #     except Exception as e:
+    #         print(f"Error looking up account SID: {e}")
+
+    event_queue.put(event_dict)
+
+
+def _event_callback(action, context, event):
+    event_queue = context['event_queue']
+    if action == win32evtlog.EvtSubscribeActionDeliver:
+        _handle_event(event, event_queue)
+
+
+def start_subscription(log_channel: str, event_id: int, event_queue):
+    """
+    Start listening for events in the specified log channel with the given event ID.
+
+    :param log_channel: The name of the event log channel to subscribe to. Examples:
+        Security, System, Application, etc.
+    :param event_id: The ID of the event to subscribe to.
+        Example: 4688 for process creation events in "Security" channel.
+    :param event_queue: A queue to store the received events
+    """
+    # This selects the System node within each event.
+    # The System node contains metadata about the event, such as the event ID, provider name, timestamp, and more.
+    query = f"*[System/EventID={str(event_id)}]"
+
+    subscription = win32evtlog.EvtSubscribe(
+        log_channel,
+        win32evtlog.EvtSubscribeToFutureEvents,
+        SignalEvent=None,
+        Query=query,
+        Callback=_event_callback,
+        Context={'event_queue': event_queue}
+    )
+
+    print("Listening for new process creation events...")
+
+    try:
+        while True:
+            time.sleep(1)
+    except KeyboardInterrupt:
+        print("Stopped listening for events.")

atomicshop/wrappers/pywin32w/win_event_log/subscribes/subscribe_to_process_create.py

@@ -0,0 +1,145 @@
+import subprocess
+import winreg
+
+from .. import subscribe
+from .....print_api import print_api
+
+
+AUDITING_REG_PATH: str = r"Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit"
+PROCESS_CREATION_INCLUDE_CMDLINE_VALUE: str = "ProcessCreationIncludeCmdLine_Enabled"
+
+
+class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
+    """
+    Class for subscribing to Windows Event Log events related to process creation.
+
+    Usage:
+        from atomicshop.wrappers.pywin32w.win_event_log.subscribes import subscribe_to_process_create
+
+        process_create_subscriber = subscribe_to_process_create.ProcessCreateSubscriber()
+        process_create_subscriber.start()
+
+        while True:
+            event = process_create_subscriber.emit()
+            print(event)
+    """
+    def __init__(self):
+        super().__init__('Security', 4688)
+
+    def start(self):
+        """Start the subscription process."""
+        enable_audit_process_creation()
+        enable_command_line_auditing()
+
+        super().start()
+
+    def stop(self):
+        """Stop the subscription process."""
+        super().stop()
+
+    def emit(self, timeout: float = None) -> dict:
+        """
+        Get the next event from the event queue.
+
+        :param timeout: The maximum time (in seconds) to wait for an event.
+            If None, the function will block until an event is available.
+        :return: A dictionary containing the event data.
+        """
+        return super().emit(timeout=timeout)
+
+
+def enable_audit_process_creation(print_kwargs: dict = None):
+    """
+    Enable the 'Audit Process Creation' policy.
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+    if is_audit_process_creation_enabled():
+        print_api("Audit Process Creation is already enabled.", color='yellow', **(print_kwargs or {}))
+        return
+
+    # Enable "Audit Process Creation" policy
+    audit_policy_command = [
+        "auditpol", "/set", "/subcategory:Process Creation", "/success:enable", "/failure:enable"
+    ]
+    try:
+        subprocess.run(audit_policy_command, check=True)
+        print_api("Successfully enabled 'Audit Process Creation'.", color='green', **(print_kwargs or {}))
+    except subprocess.CalledProcessError as e:
+        print_api(f"Failed to enable 'Audit Process Creation': {e}", error_type=True, color='red', **(print_kwargs or {}))
+        raise e
+
+
+def is_audit_process_creation_enabled(print_kwargs: dict = None) -> bool:
+    """
+    Check if the 'Audit Process Creation' policy is enabled.
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+    # Command to check the "Audit Process Creation" policy
+    audit_policy_check_command = [
+        "auditpol", "/get", "/subcategory:Process Creation"
+    ]
+    try:
+        result = subprocess.run(audit_policy_check_command, check=True, capture_output=True, text=True)
+        output = result.stdout
+        # print_api(output)  # Print the output for inspection
+
+        if "Process Creation" in output and "Success and Failure" in output:
+            # print_api(
+            #     "'Audit Process Creation' is enabled for both success and failure.",
+            #     color='green', **(print_kwargs or {}))
+            return True
+        else:
+            print_api(output, **(print_kwargs or {}))
+            print_api(
+                "'Audit Process Creation' is not fully enabled. Check the output above for details.",
+                color='yellow', **(print_kwargs or {}))
+            return False
+    except subprocess.CalledProcessError as e:
+        print_api(f"Failed to check 'Audit Process Creation': {e}", color='red', error_type=True, **(print_kwargs or {}))
+        return False
+
+
+def enable_command_line_auditing(print_kwargs: dict = None):
+    """
+    Enable the 'Include command line in process creation events' policy.
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+
+    if is_command_line_auditing_enabled():
+        print_api(
+            "'Include command line in process creation events' is already enabled.", color='yellow',
+            **(print_kwargs or {}))
+        return
+
+    try:
+        # Open the registry key
+        with winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE, AUDITING_REG_PATH) as reg_key:
+            # Set the value
+            winreg.SetValueEx(reg_key, PROCESS_CREATION_INCLUDE_CMDLINE_VALUE, 0, winreg.REG_DWORD, 1)
+
+        print_api(
+            "Successfully enabled 'Include command line in process creation events'.",
+            color='green', **(print_kwargs or {}))
+    except WindowsError as e:
+        print_api(
+            f"Failed to enable 'Include command line in process creation events': {e}", error_type=True,
+            color='red', **(print_kwargs or {}))
+
+
+def is_command_line_auditing_enabled():
+    try:
+        # Open the registry key
+        with winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, AUDITING_REG_PATH, 0, winreg.KEY_READ) as reg_key:
+            # Query the value
+            value, reg_type = winreg.QueryValueEx(reg_key, PROCESS_CREATION_INCLUDE_CMDLINE_VALUE)
+            # Check if the value is 1 (enabled)
+            return value == 1
+    except FileNotFoundError:
+        # Key or value not found, assume it's not enabled
+        return False
+    except WindowsError as e:
+        print(f"Failed to read the 'Include command line in process creation events' setting: {e}")
+        return False

{atomicshop-2.13.1.dist-info → atomicshop-2.14.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: atomicshop
-Version: 2.13.1
+Version: 2.14.0
 Summary: Atomic functions and classes to make developer life easier
 Author: Denis Kras
 License: MIT License

{atomicshop-2.13.1.dist-info → atomicshop-2.14.0.dist-info}/RECORD

@@ -1,4 +1,4 @@
-atomicshop/__init__.py,sha256=aqwPLStJUJ8YnGq3I420Yccvy8q9JIXVsivcavrcOtM,123
+atomicshop/__init__.py,sha256=LlDA7S0dPFwG14ZFuGv5tyUVyow2__rgMRanlcYHT88,123
 atomicshop/_basics_temp.py,sha256=6cu2dd6r2dLrd1BRNcVDKTHlsHs_26Gpw8QS6v32lQ0,3699
 atomicshop/_create_pdf_demo.py,sha256=Yi-PGZuMg0RKvQmLqVeLIZYadqEZwUm-4A9JxBl_vYA,3713
 atomicshop/_patch_import.py,sha256=ENp55sKVJ0e6-4lBvZnpz9PQCt3Otbur7F6aXDlyje4,6334
@@ -27,7 +27,7 @@ atomicshop/permissions.py,sha256=P6tiUKV-Gw-c3ePEVsst9bqWaHJbB4ZlJB4xbDYVpEs,443
 atomicshop/print_api.py,sha256=DhbCQd0MWZZ5GYEk4oTu1opRFC-b31g1VWZgTGewG2Y,11568
 atomicshop/process.py,sha256=R1BtXWjG2g2Q3WlsyhbIlXZz0UkQeagY7fQyBOIX_DM,15951
 atomicshop/process_name_cmd.py,sha256=CtaSp3mgxxJKCCVW8BLx6BJNx4giCklU_T7USiCEwfc,5162
-atomicshop/process_poller.py,sha256=sEuuFu3gmUrp4tY1LVxE27L0eK5LIwNKjTbV7KtzeRM,15029
+atomicshop/process_poller.py,sha256=sGIiLNdYdyxdER7hKP8QcbYg1esKe5ymCfh5qUATpJM,15033
 atomicshop/python_file_patcher.py,sha256=kd3rBWvTcosLEk-7TycNdfKW9fZbe161iVwmH4niUo0,5515
 atomicshop/python_functions.py,sha256=zJg4ogUwECxrDD7xdDN5JikIUctITM5lsyabr_ZNsRw,4435
 atomicshop/question_answer_engine.py,sha256=DuOn7QEgKKfqZu2cR8mVeFIfFgayfBHiW-jY2VPq_Fo,841
@@ -106,10 +106,10 @@ atomicshop/etws/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/etws/const.py,sha256=v3x_IdCYeSKbCGywiZFOZln80ldpwKW5nuMDuUe51Jg,1257
 atomicshop/etws/providers.py,sha256=fVmWi-uGdtnsQTDpu_ty6dzx0GMhGokiST73LNBEJ38,129
 atomicshop/etws/sessions.py,sha256=k3miewU278xn829cqDbsuH_bmZHPQE9-Zn-hINbxUSE,1330
-atomicshop/etws/trace.py,sha256=tjBvV4RxCSn8Aoxj8NVxmqHekdECne_y4Zv2lbh11ak,5341
+atomicshop/etws/trace.py,sha256=H0uDB6I86UoNyijE5HCukp_paJNHTjKL6eAzBRGSI50,8509
 atomicshop/etws/traces/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/etws/traces/trace_dns.py,sha256=wRFwfFgVgMbYJu1Sf0Yy9LPoMrf9kXejl2Xjk3PNELQ,8430
-atomicshop/etws/traces/trace_sysmon_process_creation.py,sha256=pjb0qzNZttucEWOKv2j_BGVqaSeKjBL4O8oCsAteiGU,4785
+atomicshop/etws/traces/trace_dns.py,sha256=8Fl5UW4An3SE8tGXGTufTgOcWa574YZ6zQbU7x5DYrs,6270
+atomicshop/etws/traces/trace_sysmon_process_creation.py,sha256=WdlQiOfRZC-_PpuE6BkOw5zB0DLc3fhVrANyLrgfCac,4833
 atomicshop/file_io/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/file_io/csvs.py,sha256=y8cJtnlN-NNxNupzJgSeGq9aQ4wNxYLFPX9vNNlUiIc,5830
 atomicshop/file_io/docxs.py,sha256=6tcYFGp0vRsHR47VwcRqwhdt2DQOwrAUYhrwN996n9U,5117
@@ -141,7 +141,7 @@ atomicshop/mitm/engines/__reference_general/responder___reference_general.py,sha
 atomicshop/monitor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/monitor/change_monitor.py,sha256=eJRP7NBnA-Y_n6Ofm_jKrR5XguJV6gEmxFdtdGMBF3k,7866
 atomicshop/monitor/checks/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/monitor/checks/dns.py,sha256=_DxInUSiiMa8Bx1sYJ6fRzRl7n_eAsoaGHhUk9XgF7w,7182
+atomicshop/monitor/checks/dns.py,sha256=OJWvMKl0zNtvBTYVYHSK_tfH0cNxCJ1kc_O-2Ob_5fc,7137
 atomicshop/monitor/checks/file.py,sha256=2tIDSlX2KZNc_9i9ji1tcOqupbFTIOj7cKXLyBEDWMk,3263
 atomicshop/monitor/checks/network.py,sha256=CGZWl4WlQrxayZeVF9JspJXwYA-zWx8ECWTVGSlXc98,3825
 atomicshop/monitor/checks/process_running.py,sha256=x66wd6-l466r8sbRQaIli0yswyGt1dH2DVXkGDL6O0Q,1891
@@ -246,9 +246,14 @@ atomicshop/wrappers/psutilw/disks.py,sha256=3ZSVoommKH1TWo37j_83frB-NqXF4Nf5q5mB
 atomicshop/wrappers/psutilw/memories.py,sha256=_S0aL8iaoIHebd1vOFrY_T9aROM5Jx2D5CvDh_4j0Vc,528
 atomicshop/wrappers/psutilw/psutilw.py,sha256=q3EwgprqyrR4zLCjl4l5DHFOQoukEvQMIPjNB504oQ0,21262
 atomicshop/wrappers/psycopgw/psycopgw.py,sha256=XJvVf0oAUjCHkrYfKeFuGCpfn0Oxj3u4SbKMKA1508E,7118
+atomicshop/wrappers/pywin32w/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/pywin32w/console.py,sha256=LstHajPLgXp9qQxFNR44QfH10nOnNp3bCJquxaTquns,1175
 atomicshop/wrappers/pywin32w/winshell.py,sha256=i2bKiMldPU7_azsD5xGQDdMwjaM7suKJd3k0Szmcs6c,723
 atomicshop/wrappers/pywin32w/wmi_win32process.py,sha256=qMzXtJ5hBZ5ydAyqpDbSx0nO2RJQL95HdmV5SzNKMhk,6826
+atomicshop/wrappers/pywin32w/win_event_log/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+atomicshop/wrappers/pywin32w/win_event_log/subscribe.py,sha256=UztWltQPK_fQ3EWyY6tGfhAqwxDjK7RVIAZppu97rKI,5104
+atomicshop/wrappers/pywin32w/win_event_log/subscribes/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+atomicshop/wrappers/pywin32w/win_event_log/subscribes/subscribe_to_process_create.py,sha256=_rMCTaREi_PJxAPP4gAB0IW9F0XO-suUXLf97tboKSc,5594
 atomicshop/wrappers/socketw/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/socketw/accepter.py,sha256=HQC1EyZmyUtVEfFbaBkHCE-VZp6RWyd9mEqAkgsE1fk,1749
 atomicshop/wrappers/socketw/base.py,sha256=1vvg8EhRGvnxdrRAm1VJSLCXkm2SZDHRjdpTuhkH3Mg,1844
@@ -265,8 +270,8 @@ atomicshop/wrappers/socketw/socket_server_tester.py,sha256=AhpurHJmP2kgzHaUbq5ey
 atomicshop/wrappers/socketw/socket_wrapper.py,sha256=aXBwlEIJhFT0-c4i8iNlFx2It9VpCEpsv--5Oqcpxao,11624
 atomicshop/wrappers/socketw/ssl_base.py,sha256=k4V3gwkbq10MvOH4btU4onLX2GNOsSfUAdcHmL1rpVE,2274
 atomicshop/wrappers/socketw/statistics_csv.py,sha256=t3dtDEfN47CfYVi0CW6Kc2QHTEeZVyYhc57IYYh5nmA,826
-atomicshop-2.13.1.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
-atomicshop-2.13.1.dist-info/METADATA,sha256=yOVvRROyXl4BM9Qr9EzI5BTZgvEo0OG3-uCo9Ryni2Y,10478
-atomicshop-2.13.1.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-atomicshop-2.13.1.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
-atomicshop-2.13.1.dist-info/RECORD,,
+atomicshop-2.14.0.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
+atomicshop-2.14.0.dist-info/METADATA,sha256=M4vV-yH5er5NVOQJMUtIPqdgh6IHzINAY1frKcRF9oU,10478
+atomicshop-2.14.0.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+atomicshop-2.14.0.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
+atomicshop-2.14.0.dist-info/RECORD,,