atomicshop 2.14.0__py3-none-any.whl → 2.14.2__py3-none-any.whl

atomicshop/__init__.py

@@ -1,4 +1,4 @@
 """Atomic Basic functions and classes to make developer life easier"""
 
 __author__ = "Den Kras"
-__version__ = '2.14.0'
+__version__ = '2.14.2'

atomicshop/etws/trace.py

@@ -27,8 +27,7 @@ class EventTrace(etw.ETW):
             session_name: str = None,
             close_existing_session_name: bool = True,
             enable_process_poller: bool = False,
-            process_poller_etw_session_name: str = None,
-            process_poller_method: Literal['psutil', 'pywin32', 'process_dll', 'sysmon_etw'] = 'sysmon_etw'
+            process_poller_method: Literal['psutil', 'pywin32', 'process_dll', 'sysmon_etw', 'event_log'] = 'event_log'
     ):
         """
         :param providers: List of tuples with provider name and provider GUID.
@@ -42,13 +41,13 @@ class EventTrace(etw.ETW):
         :param enable_process_poller: Boolean to enable process poller. Gets the process PID, Name and CommandLine.
             Since the DNS events doesn't contain the process name and command line, only PID.
             Then DNS events will be enriched with the process name and command line from the process poller.
-        :param process_poller_etw_session_name: The name of the ETW session for tracing process creation.
         :param process_poller_method: The method to get the process information. For more information, see the
             'process_poller.ProcessPollerPool' class. Summary:
                 'psutil': Uses 'psutil' library to get the process information.
                 'pywin32': Uses 'pywin32' library to get the process information.
                 'process_dll': Uses 'process' custom DLL to get the process information.
                 'sysmon_etw': Uses 'sysmon_etw' uses sysmon and ETW to get the process information.
+                'event_log': Uses Security Windows EVent Log channel (event id 4688) to get the process information.
 
         ------------------------------------------
 
@@ -72,7 +71,6 @@ class EventTrace(etw.ETW):
         self.event_queue = queue.Queue()
         self.close_existing_session_name: bool = close_existing_session_name
         self.enable_process_poller: bool = enable_process_poller
-        self.process_poller_etw_session_name: str = process_poller_etw_session_name
 
         # If no callback function is provided, we will use the default one, which will put the event in the queue.
         if not event_callback:
@@ -86,7 +84,8 @@ class EventTrace(etw.ETW):
         for provider in providers:
             etw_format_providers.append(etw.ProviderInfo(provider[0], etw.GUID(provider[1])))
 
-        if not process_poller_etw_session_name:
+        process_poller_etw_session_name = None
+        if process_poller_method == 'sysmon_etw':
             process_poller_etw_session_name = PROCESS_POLLER_ETW_DEFAULT_SESSION_NAME
 
         if self.enable_process_poller:

atomicshop/etws/traces/trace_dns.py

@@ -24,8 +24,7 @@ class DnsRequestResponseTrace:
             self,
             attrs: list = None,
             session_name: str = None,
-            close_existing_session_name: bool = True,
-            process_poller_etw_session_name: str = None
+            close_existing_session_name: bool = True
     ):
         """
         :param attrs: List of attributes to return. If None, all attributes will be returned.
@@ -36,7 +35,6 @@ class DnsRequestResponseTrace:
             False: if ETW session with 'session_name' exists, you will be notified and the new session will not be
                 created. Instead, the existing session will be used. If there is a buffer from the previous session,
                 you will get the events from the buffer.
-        :param process_poller_etw_session_name: The name of the ETW session for tracing process creation.
 
         -------------------------------------------------
 
@@ -48,8 +46,7 @@ class DnsRequestResponseTrace:
                 attrs=['pid', 'name', 'cmdline', 'domain', 'query_type'],
                 session_name='MyDnsTrace',
                 close_existing_session_name=True,
-                enable_process_poller=True,
-                process_poller_etw_session_name='MyProcessTrace'
+                enable_process_poller=True
             )
             dns_trace_w.start()
             while True:
@@ -69,8 +66,7 @@ class DnsRequestResponseTrace:
             event_id_filters=[REQUEST_RESP_EVENT_ID],
             session_name=session_name,
             close_existing_session_name=close_existing_session_name,
-            enable_process_poller=True,
-            process_poller_etw_session_name=process_poller_etw_session_name
+            enable_process_poller=True
         )
 
     def start(self):

atomicshop/monitor/change_monitor.py

@@ -41,8 +41,7 @@ class ChangeMonitor:
                     'url_playwright_jpeg'],
                 None] = None,
             object_type_settings: dict = None,
-            etw_session_name: str = None,
-            etw_process_session_name: str = None
+            etw_session_name: str = None
     ):
         """
         :param object_type: string, type of object to check. The type must be one of the following:
@@ -89,8 +88,6 @@ class ChangeMonitor:
             with logman and other tools: logman query -ets
             If not provided, a default name will be generated.
             'dns': 'AtomicShopDnsTrace'
-        :param etw_process_session_name: string, the name of the ETW session for tracing process creation.
-            This is needed to correlate the process cmd with the DNS requests PIDs.
 
         If 'input_directory' is not specified, the 'input_file_name' is not specified, and
         'generate_input_file_name' is False, then the input file will not be used and the object will be stored
@@ -107,7 +104,6 @@ class ChangeMonitor:
         self.object_type = object_type
         self.object_type_settings: dict = object_type_settings
         self.etw_session_name: str = etw_session_name
-        self.etw_process_session_name: str = etw_process_session_name
 
         # === Additional variables ========================================
 

atomicshop/monitor/checks/dns.py

@@ -27,8 +27,7 @@ class DnsCheck:
             trace_dns.DnsRequestResponseTrace(
                 attrs=['name', 'cmdline', 'domain', 'query_type'],
                 session_name=self.etw_session_name,
-                close_existing_session_name=True,
-                process_poller_etw_session_name=change_monitor_instance.etw_process_session_name
+                close_existing_session_name=True
             )
         )
 

atomicshop/process_poller.py

@@ -2,8 +2,10 @@ import threading
 import multiprocessing
 import time
 from typing import Literal, Union
+from pathlib import Path
 
 from .wrappers.pywin32w import wmi_win32process
+from .wrappers.pywin32w.win_event_log.subscribes import process_create
 from .wrappers.psutilw import psutilw
 from .etws.traces import trace_sysmon_process_creation
 from .basics import dicts
@@ -52,7 +54,7 @@ class GetProcessList:
     """
     def __init__(
             self,
-            get_method: Literal['psutil', 'pywin32', 'process_dll', 'sysmon_etw'] = 'process_dll',
+            get_method: Literal['psutil', 'pywin32', 'process_dll'] = 'process_dll',
             connect_on_init: bool = False
     ):
         """
@@ -145,7 +147,7 @@ class ProcessPollerPool:
             self,
             interval_seconds: Union[int, float] = 0,
             operation: Literal['thread', 'process'] = 'thread',
-            poller_method: Literal['psutil', 'pywin32', 'process_dll', 'sysmon_etw'] = 'sysmon_etw',
+            poller_method: Literal['psutil', 'pywin32', 'process_dll', 'sysmon_etw', 'event_log'] = 'event_log',
             sysmon_etw_session_name: str = None,
             sysmon_directory: str = None
     ):
@@ -175,6 +177,9 @@ class ProcessPollerPool:
                     2. Start the "Microsoft-Windows-Sysmon" ETW session.
                     3. Take a snapshot of current processes and their CMDs with psutil and store it in a dict.
                     4. Each new process creation from ETW updates the dict.
+            'event_log': Get the list of processes by subscribing to the Windows Event Log.
+                Log Channel: Security, Event ID: 4688.
+                We enable the necessary prerequisites in registry and subscribe to the event.
         :param sysmon_etw_session_name: str, only for 'sysmon_etw' get_method.
             The name of the ETW session for tracing process creation.
         :param sysmon_directory: str, only for 'sysmon_etw' get_method.
@@ -271,6 +276,12 @@ def _worker(
         # We must initiate the connection inside the thread/process, because it is not thread-safe.
         poller_instance.start()
 
+        processes = GetProcessList(get_method='pywin32', connect_on_init=True).get_processes(as_dict=True)
+        process_queue.put(processes)
+    elif poller_method == 'event_log':
+        poller_instance = process_create.ProcessCreateSubscriber()
+        poller_instance.start()
+
         processes = GetProcessList(get_method='pywin32', connect_on_init=True).get_processes(as_dict=True)
         process_queue.put(processes)
     else:
@@ -279,7 +290,6 @@ def _worker(
         processes = {}
 
     exception = None
-    list_of_processes: list = list()
     while running_state:
         try:
             if poller_method == 'sysmon_etw':
@@ -289,6 +299,13 @@ def _worker(
                     'name': current_cycle['original_file_name'],
                     'cmdline': current_cycle['command_line']}
                 }
+            elif poller_method == 'event_log':
+                # Get the current processes and reinitialize the instance of the dict.
+                current_cycle: dict = poller_instance.emit()
+                current_processes: dict = {current_cycle['pid']: {
+                    'name': Path(current_cycle['process_name']).name,
+                    'cmdline': current_cycle['command_line']}
+                }
             else:
                 # Get the current processes and reinitialize the instance of the dict.
                 current_processes: dict = dict(poller_instance.get_processes())
@@ -312,8 +329,8 @@ def _worker(
 
             process_queue.put(processes)
 
-            # Since ETW is a blocking operation, we don't need to sleep.
-            if poller_method != 'sysmon_etw':
+            # Since ETW is a blocking operation, we don't need to sleep in tracing pollers [sysmon_etw, event_log].
+            if poller_method not in ['sysmon_etw', 'event_log']:
                 time.sleep(interval_seconds)
         except KeyboardInterrupt as e:
             running_state = False

atomicshop/wrappers/pywin32w/win_event_log/subscribe.py

@@ -4,6 +4,7 @@ import time
 import threading
 import queue
 from typing import Union
+import binascii
 
 
 class EventLogSubscriber:
@@ -20,15 +21,29 @@ class EventLogSubscriber:
             event = event_log_subscriber.emit()
             print(event)
     """
-    def __init__(self, log_channel: str, event_id: int):
+    def __init__(self, log_channel: str, event_id: int = None, provider: str = None):
         """
         :param log_channel: The name of the event log channel to subscribe to. Examples:
             Security, System, Application, etc.
         :param event_id: The ID of the event to subscribe to.
             Example: 4688 for process creation events in "Security" channel.
+            You can only subscribe by event ID or provider, not both.
+        :param provider: The name of the provider to subscribe to.
+            You can only subscribe by event ID or provider, not both.
         """
+
+        if event_id is None and provider is None:
+            raise ValueError("You must specify either an event ID or provider name to subscribe to.")
+        elif event_id and provider:
+            raise ValueError("You can only subscribe by event ID or provider, not both.")
+
         self.log_channel: str = log_channel
-        self.event_id: str = str(event_id)
+        self.provider: str = provider
+
+        if event_id:
+            self.event_id: str = str(event_id)
+        else:
+            self.event_id = event_id
 
         self._event_queue = queue.Queue()
         self._subscription_thread = None
@@ -36,7 +51,7 @@ class EventLogSubscriber:
     def start(self):
         """Start the subscription process."""
         self._subscription_thread = threading.Thread(
-            target=start_subscription, args=(self.log_channel, self.event_id, self._event_queue)
+            target=start_subscription, args=(self.log_channel, self._event_queue, self.event_id, self.provider)
         )
         self._subscription_thread.daemon = True
         self._subscription_thread.start()
@@ -64,51 +79,83 @@ class EventLogSubscriber:
 def _parse_event_xml(event_xml):
     root = Et.fromstring(event_xml)
     data = {}
+
+    # Helper function to strip namespace
+    def strip_namespace(tag):
+        return tag.split('}')[-1]  # Remove namespace
+
+    # Iterate over all elements
     for elem in root.iter():
-        if 'Name' in elem.attrib:
-            data[elem.attrib['Name']] = elem.text
+        # Extract elements with text content
+        if elem.text and elem.text.strip():
+            tag = elem.tag.split('}')[-1]  # Remove namespace
+            data[tag] = elem.text.strip()
+
+        # Extract elements with attributes
+        for attr_name, attr_value in elem.attrib.items():
+            tag = elem.tag.split('}')[-1]  # Remove namespace
+            data[f"{tag}_{attr_name}"] = attr_value
+
+        # Handle Binary data
+        if elem.tag.split('}')[-1] == 'Binary':
+            try:
+                data['BinaryReadable'] = binascii.unhexlify(elem.text.strip())
+            except (TypeError, binascii.Error) as e:
+                print(f"Error decoding binary data: {e}")
+                data['BinaryReadable'] = elem.text.strip()
+
+    # Extract system-specific data
+    system_data = root.find(".//{http://schemas.microsoft.com/win/2004/08/events/event}System")
+    if system_data is not None:
+        for system_elem in system_data:
+            tag = strip_namespace(system_elem.tag)
+            if system_elem.attrib:
+                for attr_name, attr_value in system_elem.attrib.items():
+                    data[f"{tag}_{attr_name}"] = attr_value
+            if system_elem.text and system_elem.text.strip():
+                data[tag] = system_elem.text.strip()
+
+    # Extract event-specific data
+    event_data = root.find(".//{http://schemas.microsoft.com/win/2004/08/events/event}EventData")
+    if event_data is not None:
+        for data_elem in event_data:
+            if strip_namespace(data_elem.tag) == 'Data' and 'Name' in data_elem.attrib:
+                data[data_elem.attrib['Name']] = data_elem.text.strip()
+
+    # Extract user data if available
+    user_data = root.find(".//{http://schemas.microsoft.com/win/2004/08/events/event}UserData")
+    if user_data is not None:
+        for user_elem in user_data:
+            tag = strip_namespace(user_elem.tag)
+            if user_elem.attrib:
+                for attr_name, attr_value in user_elem.attrib.items():
+                    data[f"{tag}_{attr_name}"] = attr_value
+            if user_elem.text and user_elem.text.strip():
+                data[tag] = user_elem.text.strip()
+
+    # Extract rendering info (additional details like the message)
+    rendering_info = root.find(".//{http://schemas.microsoft.com/win/2004/08/events/event}RenderingInfo")
+    if rendering_info is not None:
+        for info_elem in rendering_info:
+            tag = strip_namespace(info_elem.tag)
+            if info_elem.text and info_elem.text.strip():
+                data[f"RenderingInfo_{tag}"] = info_elem.text.strip()
+
     return data
 
 
 def _handle_event(event, event_queue):
+    # Render event as XML
     event_xml = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
+    data = None
     try:
         data = _parse_event_xml(event_xml)
     except Et.ParseError as e:
         print(f"Error parsing event XML: {e}")
-        return
-
-    event_dict: dict = {
-        'user_sid': data.get("SubjectUserSid", "Unknown"),
-        'user_name': data.get("SubjectUserName", "Unknown"),
-        'domain': data.get("SubjectDomainName", "Unknown"),
-        'pid_hex': data.get("NewProcessId", "0"),
-        'process_name': data.get("NewProcessName", "Unknown"),
-        'command_line': data.get("CommandLine", None),
-        'parent_pid_hex': data.get("ProcessId", "0"),
-        'parent_process_name': data.get("ParentProcessName", "Unknown")
-    }
-
-    try:
-        process_id = int(event_dict['pid_hex'], 16)
-    except ValueError:
-        process_id = "Unknown"
+    except Exception as e:
+        print(f"Error getting rendered message: {e}")
 
-    try:
-        parent_pid = int(event_dict['parent_pid_hex'], 16)
-    except ValueError:
-        parent_pid = "Unknown"
-
-    event_dict['pid'] = process_id
-    event_dict['parent_pid'] = parent_pid
-
-    # if user_sid != "Unknown":
-    #     try:
-    #         user_name, domain, type = win32security.LookupAccountSid(None, user_sid)
-    #     except Exception as e:
-    #         print(f"Error looking up account SID: {e}")
-
-    event_queue.put(event_dict)
+    event_queue.put(data)
 
 
 def _event_callback(action, context, event):
@@ -117,25 +164,43 @@ def _event_callback(action, context, event):
         _handle_event(event, event_queue)
 
 
-def start_subscription(log_channel: str, event_id: int, event_queue):
+def start_subscription(
+        log_channel: str,
+        event_queue,
+        event_id: str = None,
+        provider: str = None
+):
     """
     Start listening for events in the specified log channel with the given event ID.
 
     :param log_channel: The name of the event log channel to subscribe to. Examples:
         Security, System, Application, etc.
+    :param event_queue: A queue to store the received events
     :param event_id: The ID of the event to subscribe to.
         Example: 4688 for process creation events in "Security" channel.
-    :param event_queue: A queue to store the received events
+        You can only subscribe by event ID or provider, not both.
+    :param provider: The name of the provider to subscribe to.
+        You can only subscribe by event ID or provider, not both.
     """
+
+    if event_id is None and provider is None:
+        raise ValueError("You must specify either an event ID or provider name to subscribe to.")
+    elif event_id and provider:
+        raise ValueError("You can only subscribe by event ID or provider, not both.")
+
     # This selects the System node within each event.
     # The System node contains metadata about the event, such as the event ID, provider name, timestamp, and more.
-    query = f"*[System/EventID={str(event_id)}]"
+    xpath_query = None
+    if provider:
+        xpath_query = f"*[System/Provider[@Name='{provider}']]"
+    elif event_id:
+        xpath_query = f"*[System/EventID={event_id}]"
 
     subscription = win32evtlog.EvtSubscribe(
         log_channel,
         win32evtlog.EvtSubscribeToFutureEvents,
         SignalEvent=None,
-        Query=query,
+        Query=xpath_query,
         Callback=_event_callback,
         Context={'event_queue': event_queue}
     )

atomicshop/wrappers/pywin32w/win_event_log/subscribes/{subscribe_to_process_create.py → process_create.py}

@@ -7,6 +7,8 @@ from .....print_api import print_api
 
 AUDITING_REG_PATH: str = r"Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit"
 PROCESS_CREATION_INCLUDE_CMDLINE_VALUE: str = "ProcessCreationIncludeCmdLine_Enabled"
+LOG_CHANNEL: str = 'Security'
+EVENT_ID: int = 4688
 
 
 class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
@@ -14,9 +16,9 @@ class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
     Class for subscribing to Windows Event Log events related to process creation.
 
     Usage:
-        from atomicshop.wrappers.pywin32w.win_event_log.subscribes import subscribe_to_process_create
+        from atomicshop.wrappers.pywin32w.win_event_log.subscribes import process_create
 
-        process_create_subscriber = subscribe_to_process_create.ProcessCreateSubscriber()
+        process_create_subscriber = process_create.ProcessCreateSubscriber()
         process_create_subscriber.start()
 
         while True:
@@ -24,7 +26,7 @@ class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
             print(event)
     """
     def __init__(self):
-        super().__init__('Security', 4688)
+        super().__init__(log_channel=LOG_CHANNEL, event_id=EVENT_ID)
 
     def start(self):
         """Start the subscription process."""
@@ -45,7 +47,40 @@ class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
             If None, the function will block until an event is available.
         :return: A dictionary containing the event data.
         """
-        return super().emit(timeout=timeout)
+
+        data = super().emit(timeout=timeout)
+
+        event_dict: dict = {
+            'user_sid': data.get("SubjectUserSid", "Unknown"),
+            'user_name': data.get("SubjectUserName", "Unknown"),
+            'domain': data.get("SubjectDomainName", "Unknown"),
+            'pid_hex': data.get("NewProcessId", "0"),
+            'process_name': data.get("NewProcessName", "Unknown"),
+            'command_line': data.get("CommandLine", None),
+            'parent_pid_hex': data.get("ProcessId", "0"),
+            'parent_process_name': data.get("ParentProcessName", "Unknown")
+        }
+
+        try:
+            process_id = int(event_dict['pid_hex'], 16)
+        except ValueError:
+            process_id = "Unknown"
+
+        try:
+            parent_pid = int(event_dict['parent_pid_hex'], 16)
+        except ValueError:
+            parent_pid = "Unknown"
+
+        event_dict['pid'] = process_id
+        event_dict['parent_pid'] = parent_pid
+
+        # if user_sid != "Unknown":
+        #     try:
+        #         user_name, domain, type = win32security.LookupAccountSid(None, user_sid)
+        #     except Exception as e:
+        #         print(f"Error looking up account SID: {e}")
+
+        return event_dict
 
 
 def enable_audit_process_creation(print_kwargs: dict = None):
@@ -91,10 +126,10 @@ def is_audit_process_creation_enabled(print_kwargs: dict = None) -> bool:
             #     color='green', **(print_kwargs or {}))
             return True
         else:
-            print_api(output, **(print_kwargs or {}))
-            print_api(
-                "'Audit Process Creation' is not fully enabled. Check the output above for details.",
-                color='yellow', **(print_kwargs or {}))
+            # print_api(output, **(print_kwargs or {}))
+            # print_api(
+            #     "'Audit Process Creation' is not fully enabled. Check the output above for details.",
+            #     color='yellow', **(print_kwargs or {}))
             return False
     except subprocess.CalledProcessError as e:
         print_api(f"Failed to check 'Audit Process Creation': {e}", color='red', error_type=True, **(print_kwargs or {}))

atomicshop/wrappers/pywin32w/win_event_log/subscribes/schannel_logging.py

@@ -0,0 +1,97 @@
+import winreg
+import sys
+
+from .. import subscribe
+from .....print_api import print_api
+
+
+SCHANNEL_LOGGING_REG_PATH: str = r'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL'
+SCHANNEL_EVENT_LOGGING_KEY: str = 'EventLogging'
+LOG_CHANNEL: str = 'System'
+PROVIDER: str = 'Schannel'
+
+
+class SchannelLoggingSubscriber(subscribe.EventLogSubscriber):
+    """
+    Class for subscribing to Windows Event Log events related to process creation.
+
+    Usage:
+        from atomicshop.wrappers.pywin32w.win_event_log.subscribes import schannel_logging
+
+        process_create_subscriber = schannel_logging.SchannelLoggingSubscriber()
+        process_create_subscriber.start()
+
+        while True:
+            event = process_create_subscriber.emit()
+            print(event)
+    """
+    def __init__(self):
+        super().__init__(log_channel=LOG_CHANNEL, provider=PROVIDER)
+
+    def start(self):
+        """Start the subscription process."""
+        enable_schannel_logging()
+
+        super().start()
+
+    def stop(self):
+        """Stop the subscription process."""
+        super().stop()
+
+    def emit(self, timeout: float = None) -> dict:
+        """
+        Get the next event from the event queue.
+
+        :param timeout: The maximum time (in seconds) to wait for an event.
+            If None, the function will block until an event is available.
+        :return: A dictionary containing the event data.
+        """
+        return super().emit(timeout=timeout)
+
+
+def enable_schannel_logging(logging_value: int = 1, print_kwargs: dict = None):
+    """
+    Value 	Description
+    0x0000 	Do not log
+    0x0001 	Log error messages
+    0x0002 	Log warnings
+    0x0003 	Log warnings and error messages
+    0x0004 	Log informational and success events
+    0x0005 	Log informational, success events and error messages
+    0x0006 	Log informational, success events and warnings
+    0x0007 	Log informational, success events, warnings, and error messages (all log levels)
+    """
+
+    if is_schannel_logging_enabled(logging_value):
+        print_api(
+            "Schannel event logging is already enabled.", color='yellow',
+            **(print_kwargs or {}))
+        return
+
+    try:
+        with winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, SCHANNEL_LOGGING_REG_PATH, 0, winreg.KEY_ALL_ACCESS) as key:
+            winreg.SetValueEx(key, SCHANNEL_EVENT_LOGGING_KEY, 0, winreg.REG_DWORD, logging_value)
+
+        print_api(
+            "Successfully enabled Schannel logging.",
+            color='green', **(print_kwargs or {}))
+        print_api(
+            "Please restart the computer for the changes to take effect.",
+            color='yellow', **(print_kwargs or {}))
+        sys.exit()
+    except WindowsError as e:
+        print_api(
+            f"Failed to enable Schannel event logging: {e}", error_type=True,
+            color='red', **(print_kwargs or {}))
+
+
+def is_schannel_logging_enabled(logging_value: int) -> bool:
+    try:
+        with winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, SCHANNEL_LOGGING_REG_PATH, 0, winreg.KEY_READ) as key:
+            value, regtype = winreg.QueryValueEx(key, SCHANNEL_EVENT_LOGGING_KEY)
+            return value == logging_value
+    except FileNotFoundError:
+        return False
+    except WindowsError as e:
+        print(f"Failed to read the Schannel event logging setting: {e}")
+        return False

{atomicshop-2.14.0.dist-info → atomicshop-2.14.2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: atomicshop
-Version: 2.14.0
+Version: 2.14.2
 Summary: Atomic functions and classes to make developer life easier
 Author: Denis Kras
 License: MIT License

{atomicshop-2.14.0.dist-info → atomicshop-2.14.2.dist-info}/RECORD

@@ -1,4 +1,4 @@
-atomicshop/__init__.py,sha256=LlDA7S0dPFwG14ZFuGv5tyUVyow2__rgMRanlcYHT88,123
+atomicshop/__init__.py,sha256=z4rThLLSu1i3Wlh2xQO9kTZiAnom3boVcidQ2m4F8V0,123
 atomicshop/_basics_temp.py,sha256=6cu2dd6r2dLrd1BRNcVDKTHlsHs_26Gpw8QS6v32lQ0,3699
 atomicshop/_create_pdf_demo.py,sha256=Yi-PGZuMg0RKvQmLqVeLIZYadqEZwUm-4A9JxBl_vYA,3713
 atomicshop/_patch_import.py,sha256=ENp55sKVJ0e6-4lBvZnpz9PQCt3Otbur7F6aXDlyje4,6334
@@ -27,7 +27,7 @@ atomicshop/permissions.py,sha256=P6tiUKV-Gw-c3ePEVsst9bqWaHJbB4ZlJB4xbDYVpEs,443
 atomicshop/print_api.py,sha256=DhbCQd0MWZZ5GYEk4oTu1opRFC-b31g1VWZgTGewG2Y,11568
 atomicshop/process.py,sha256=R1BtXWjG2g2Q3WlsyhbIlXZz0UkQeagY7fQyBOIX_DM,15951
 atomicshop/process_name_cmd.py,sha256=CtaSp3mgxxJKCCVW8BLx6BJNx4giCklU_T7USiCEwfc,5162
-atomicshop/process_poller.py,sha256=sGIiLNdYdyxdER7hKP8QcbYg1esKe5ymCfh5qUATpJM,15033
+atomicshop/process_poller.py,sha256=17sc332AcTfSVPorjYsgRwNm75rLCqvpOQsieMwLMKU,16105
 atomicshop/python_file_patcher.py,sha256=kd3rBWvTcosLEk-7TycNdfKW9fZbe161iVwmH4niUo0,5515
 atomicshop/python_functions.py,sha256=zJg4ogUwECxrDD7xdDN5JikIUctITM5lsyabr_ZNsRw,4435
 atomicshop/question_answer_engine.py,sha256=DuOn7QEgKKfqZu2cR8mVeFIfFgayfBHiW-jY2VPq_Fo,841
@@ -106,9 +106,9 @@ atomicshop/etws/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/etws/const.py,sha256=v3x_IdCYeSKbCGywiZFOZln80ldpwKW5nuMDuUe51Jg,1257
 atomicshop/etws/providers.py,sha256=fVmWi-uGdtnsQTDpu_ty6dzx0GMhGokiST73LNBEJ38,129
 atomicshop/etws/sessions.py,sha256=k3miewU278xn829cqDbsuH_bmZHPQE9-Zn-hINbxUSE,1330
-atomicshop/etws/trace.py,sha256=H0uDB6I86UoNyijE5HCukp_paJNHTjKL6eAzBRGSI50,8509
+atomicshop/etws/trace.py,sha256=v2yA3FicR9WIg5n5KlZEuYbLAzTTjiDk7avWxcEjwp8,8439
 atomicshop/etws/traces/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/etws/traces/trace_dns.py,sha256=8Fl5UW4An3SE8tGXGTufTgOcWa574YZ6zQbU7x5DYrs,6270
+atomicshop/etws/traces/trace_dns.py,sha256=-bw7JGDeAl2UtNGoSPeD_gh6ij4IGAbPdB8VWip8fXc,5960
 atomicshop/etws/traces/trace_sysmon_process_creation.py,sha256=WdlQiOfRZC-_PpuE6BkOw5zB0DLc3fhVrANyLrgfCac,4833
 atomicshop/file_io/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/file_io/csvs.py,sha256=y8cJtnlN-NNxNupzJgSeGq9aQ4wNxYLFPX9vNNlUiIc,5830
@@ -139,9 +139,9 @@ atomicshop/mitm/engines/__reference_general/parser___reference_general.py,sha256
 atomicshop/mitm/engines/__reference_general/recorder___reference_general.py,sha256=KENDVf9OwXD9gwSh4B1XxACCe7iHYjrvnW1t6F64wdE,695
 atomicshop/mitm/engines/__reference_general/responder___reference_general.py,sha256=1AM49UaFTKA0AHw-k3SV3uH3QbG-o6ux0c-GoWkKNU0,6993
 atomicshop/monitor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/monitor/change_monitor.py,sha256=eJRP7NBnA-Y_n6Ofm_jKrR5XguJV6gEmxFdtdGMBF3k,7866
+atomicshop/monitor/change_monitor.py,sha256=dGhk5bJPxLCHa2FOVkort99E7vjVojra9GlvhpcKSqE,7551
 atomicshop/monitor/checks/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/monitor/checks/dns.py,sha256=OJWvMKl0zNtvBTYVYHSK_tfH0cNxCJ1kc_O-2Ob_5fc,7137
+atomicshop/monitor/checks/dns.py,sha256=clslElMi2HZaO3G1nXt2t0O2Yj0vFsJd6CXRdIXCGJM,7038
 atomicshop/monitor/checks/file.py,sha256=2tIDSlX2KZNc_9i9ji1tcOqupbFTIOj7cKXLyBEDWMk,3263
 atomicshop/monitor/checks/network.py,sha256=CGZWl4WlQrxayZeVF9JspJXwYA-zWx8ECWTVGSlXc98,3825
 atomicshop/monitor/checks/process_running.py,sha256=x66wd6-l466r8sbRQaIli0yswyGt1dH2DVXkGDL6O0Q,1891
@@ -251,9 +251,10 @@ atomicshop/wrappers/pywin32w/console.py,sha256=LstHajPLgXp9qQxFNR44QfH10nOnNp3bC
 atomicshop/wrappers/pywin32w/winshell.py,sha256=i2bKiMldPU7_azsD5xGQDdMwjaM7suKJd3k0Szmcs6c,723
 atomicshop/wrappers/pywin32w/wmi_win32process.py,sha256=qMzXtJ5hBZ5ydAyqpDbSx0nO2RJQL95HdmV5SzNKMhk,6826
 atomicshop/wrappers/pywin32w/win_event_log/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/wrappers/pywin32w/win_event_log/subscribe.py,sha256=UztWltQPK_fQ3EWyY6tGfhAqwxDjK7RVIAZppu97rKI,5104
+atomicshop/wrappers/pywin32w/win_event_log/subscribe.py,sha256=a0SqjtUfo-fVR5jlsoygFlDrjHelOKgCBvia3suyzW8,8217
 atomicshop/wrappers/pywin32w/win_event_log/subscribes/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/wrappers/pywin32w/win_event_log/subscribes/subscribe_to_process_create.py,sha256=_rMCTaREi_PJxAPP4gAB0IW9F0XO-suUXLf97tboKSc,5594
+atomicshop/wrappers/pywin32w/win_event_log/subscribes/process_create.py,sha256=_no1MnXjhLgOi9Y7xc7HHgTe6sjZkHIIhcVCd5BKZgM,6865
+atomicshop/wrappers/pywin32w/win_event_log/subscribes/schannel_logging.py,sha256=8nxIcNcbeEuvoBwhujgh7-oIpL9A6J-gg1NM8hOGAVA,3442
 atomicshop/wrappers/socketw/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/socketw/accepter.py,sha256=HQC1EyZmyUtVEfFbaBkHCE-VZp6RWyd9mEqAkgsE1fk,1749
 atomicshop/wrappers/socketw/base.py,sha256=1vvg8EhRGvnxdrRAm1VJSLCXkm2SZDHRjdpTuhkH3Mg,1844
@@ -270,8 +271,8 @@ atomicshop/wrappers/socketw/socket_server_tester.py,sha256=AhpurHJmP2kgzHaUbq5ey
 atomicshop/wrappers/socketw/socket_wrapper.py,sha256=aXBwlEIJhFT0-c4i8iNlFx2It9VpCEpsv--5Oqcpxao,11624
 atomicshop/wrappers/socketw/ssl_base.py,sha256=k4V3gwkbq10MvOH4btU4onLX2GNOsSfUAdcHmL1rpVE,2274
 atomicshop/wrappers/socketw/statistics_csv.py,sha256=t3dtDEfN47CfYVi0CW6Kc2QHTEeZVyYhc57IYYh5nmA,826
-atomicshop-2.14.0.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
-atomicshop-2.14.0.dist-info/METADATA,sha256=M4vV-yH5er5NVOQJMUtIPqdgh6IHzINAY1frKcRF9oU,10478
-atomicshop-2.14.0.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-atomicshop-2.14.0.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
-atomicshop-2.14.0.dist-info/RECORD,,
+atomicshop-2.14.2.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
+atomicshop-2.14.2.dist-info/METADATA,sha256=VIgp-Go_u3KNgCb_tRAE6XcD9IyNa2lHdn0C2WFmscY,10478
+atomicshop-2.14.2.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+atomicshop-2.14.2.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
+atomicshop-2.14.2.dist-info/RECORD,,