atomicshop 2.14.1__py3-none-any.whl → 2.14.3__py3-none-any.whl

atomicshop/wrappers/pywin32w/win_event_log/subscribe.py

@@ -4,6 +4,7 @@ import time
 import threading
 import queue
 from typing import Union
+import binascii
 
 
 class EventLogSubscriber:
@@ -20,15 +21,29 @@ class EventLogSubscriber:
             event = event_log_subscriber.emit()
             print(event)
     """
-    def __init__(self, log_channel: str, event_id: int):
+    def __init__(self, log_channel: str, event_id: int = None, provider: str = None):
         """
         :param log_channel: The name of the event log channel to subscribe to. Examples:
             Security, System, Application, etc.
         :param event_id: The ID of the event to subscribe to.
             Example: 4688 for process creation events in "Security" channel.
+            You can only subscribe by event ID or provider, not both.
+        :param provider: The name of the provider to subscribe to.
+            You can only subscribe by event ID or provider, not both.
         """
+
+        if event_id is None and provider is None:
+            raise ValueError("You must specify either an event ID or provider name to subscribe to.")
+        elif event_id and provider:
+            raise ValueError("You can only subscribe by event ID or provider, not both.")
+
         self.log_channel: str = log_channel
-        self.event_id: str = str(event_id)
+        self.provider: str = provider
+
+        if event_id:
+            self.event_id: str = str(event_id)
+        else:
+            self.event_id = event_id
 
         self._event_queue = queue.Queue()
         self._subscription_thread = None
@@ -36,7 +51,7 @@ class EventLogSubscriber:
     def start(self):
         """Start the subscription process."""
         self._subscription_thread = threading.Thread(
-            target=start_subscription, args=(self.log_channel, self.event_id, self._event_queue)
+            target=start_subscription, args=(self.log_channel, self._event_queue, self.event_id, self.provider)
         )
         self._subscription_thread.daemon = True
         self._subscription_thread.start()
@@ -64,51 +79,83 @@ class EventLogSubscriber:
 def _parse_event_xml(event_xml):
     root = Et.fromstring(event_xml)
     data = {}
+
+    # Helper function to strip namespace
+    def strip_namespace(tag):
+        return tag.split('}')[-1]  # Remove namespace
+
+    # Iterate over all elements
     for elem in root.iter():
-        if 'Name' in elem.attrib:
-            data[elem.attrib['Name']] = elem.text
+        # Extract elements with text content
+        if elem.text and elem.text.strip():
+            tag = elem.tag.split('}')[-1]  # Remove namespace
+            data[tag] = elem.text.strip()
+
+        # Extract elements with attributes
+        for attr_name, attr_value in elem.attrib.items():
+            tag = elem.tag.split('}')[-1]  # Remove namespace
+            data[f"{tag}_{attr_name}"] = attr_value
+
+        # Handle Binary data
+        if elem.tag.split('}')[-1] == 'Binary':
+            try:
+                data['BinaryReadable'] = binascii.unhexlify(elem.text.strip())
+            except (TypeError, binascii.Error) as e:
+                print(f"Error decoding binary data: {e}")
+                data['BinaryReadable'] = elem.text.strip()
+
+    # Extract system-specific data
+    system_data = root.find(".//{http://schemas.microsoft.com/win/2004/08/events/event}System")
+    if system_data is not None:
+        for system_elem in system_data:
+            tag = strip_namespace(system_elem.tag)
+            if system_elem.attrib:
+                for attr_name, attr_value in system_elem.attrib.items():
+                    data[f"{tag}_{attr_name}"] = attr_value
+            if system_elem.text and system_elem.text.strip():
+                data[tag] = system_elem.text.strip()
+
+    # Extract event-specific data
+    event_data = root.find(".//{http://schemas.microsoft.com/win/2004/08/events/event}EventData")
+    if event_data is not None:
+        for data_elem in event_data:
+            if strip_namespace(data_elem.tag) == 'Data' and 'Name' in data_elem.attrib:
+                data[data_elem.attrib['Name']] = data_elem.text.strip()
+
+    # Extract user data if available
+    user_data = root.find(".//{http://schemas.microsoft.com/win/2004/08/events/event}UserData")
+    if user_data is not None:
+        for user_elem in user_data:
+            tag = strip_namespace(user_elem.tag)
+            if user_elem.attrib:
+                for attr_name, attr_value in user_elem.attrib.items():
+                    data[f"{tag}_{attr_name}"] = attr_value
+            if user_elem.text and user_elem.text.strip():
+                data[tag] = user_elem.text.strip()
+
+    # Extract rendering info (additional details like the message)
+    rendering_info = root.find(".//{http://schemas.microsoft.com/win/2004/08/events/event}RenderingInfo")
+    if rendering_info is not None:
+        for info_elem in rendering_info:
+            tag = strip_namespace(info_elem.tag)
+            if info_elem.text and info_elem.text.strip():
+                data[f"RenderingInfo_{tag}"] = info_elem.text.strip()
+
     return data
 
 
 def _handle_event(event, event_queue):
+    # Render event as XML
     event_xml = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
+    data = None
     try:
         data = _parse_event_xml(event_xml)
     except Et.ParseError as e:
         print(f"Error parsing event XML: {e}")
-        return
-
-    event_dict: dict = {
-        'user_sid': data.get("SubjectUserSid", "Unknown"),
-        'user_name': data.get("SubjectUserName", "Unknown"),
-        'domain': data.get("SubjectDomainName", "Unknown"),
-        'pid_hex': data.get("NewProcessId", "0"),
-        'process_name': data.get("NewProcessName", "Unknown"),
-        'command_line': data.get("CommandLine", None),
-        'parent_pid_hex': data.get("ProcessId", "0"),
-        'parent_process_name': data.get("ParentProcessName", "Unknown")
-    }
-
-    try:
-        process_id = int(event_dict['pid_hex'], 16)
-    except ValueError:
-        process_id = "Unknown"
+    except Exception as e:
+        print(f"Error getting rendered message: {e}")
 
-    try:
-        parent_pid = int(event_dict['parent_pid_hex'], 16)
-    except ValueError:
-        parent_pid = "Unknown"
-
-    event_dict['pid'] = process_id
-    event_dict['parent_pid'] = parent_pid
-
-    # if user_sid != "Unknown":
-    #     try:
-    #         user_name, domain, type = win32security.LookupAccountSid(None, user_sid)
-    #     except Exception as e:
-    #         print(f"Error looking up account SID: {e}")
-
-    event_queue.put(event_dict)
+    event_queue.put(data)
 
 
 def _event_callback(action, context, event):
@@ -117,31 +164,47 @@ def _event_callback(action, context, event):
         _handle_event(event, event_queue)
 
 
-def start_subscription(log_channel: str, event_id: int, event_queue):
+def start_subscription(
+        log_channel: str,
+        event_queue,
+        event_id: str = None,
+        provider: str = None
+):
     """
     Start listening for events in the specified log channel with the given event ID.
 
     :param log_channel: The name of the event log channel to subscribe to. Examples:
         Security, System, Application, etc.
+    :param event_queue: A queue to store the received events
     :param event_id: The ID of the event to subscribe to.
         Example: 4688 for process creation events in "Security" channel.
-    :param event_queue: A queue to store the received events
+        You can only subscribe by event ID or provider, not both.
+    :param provider: The name of the provider to subscribe to.
+        You can only subscribe by event ID or provider, not both.
     """
+
+    if event_id is None and provider is None:
+        raise ValueError("You must specify either an event ID or provider name to subscribe to.")
+    elif event_id and provider:
+        raise ValueError("You can only subscribe by event ID or provider, not both.")
+
     # This selects the System node within each event.
     # The System node contains metadata about the event, such as the event ID, provider name, timestamp, and more.
-    query = f"*[System/EventID={str(event_id)}]"
+    xpath_query = None
+    if provider:
+        xpath_query = f"*[System/Provider[@Name='{provider}']]"
+    elif event_id:
+        xpath_query = f"*[System/EventID={event_id}]"
 
     subscription = win32evtlog.EvtSubscribe(
         log_channel,
         win32evtlog.EvtSubscribeToFutureEvents,
         SignalEvent=None,
-        Query=query,
+        Query=xpath_query,
         Callback=_event_callback,
         Context={'event_queue': event_queue}
     )
 
-    print("Listening for new process creation events...")
-
     try:
         while True:
             time.sleep(1)

atomicshop/wrappers/pywin32w/win_event_log/subscribes/{subscribe_to_process_create.py → process_create.py}

@@ -7,6 +7,8 @@ from .....print_api import print_api
 
 AUDITING_REG_PATH: str = r"Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit"
 PROCESS_CREATION_INCLUDE_CMDLINE_VALUE: str = "ProcessCreationIncludeCmdLine_Enabled"
+LOG_CHANNEL: str = 'Security'
+EVENT_ID: int = 4688
 
 
 class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
@@ -14,9 +16,9 @@ class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
     Class for subscribing to Windows Event Log events related to process creation.
 
     Usage:
-        from atomicshop.wrappers.pywin32w.win_event_log.subscribes import subscribe_to_process_create
+        from atomicshop.wrappers.pywin32w.win_event_log.subscribes import process_create
 
-        process_create_subscriber = subscribe_to_process_create.ProcessCreateSubscriber()
+        process_create_subscriber = process_create.ProcessCreateSubscriber()
         process_create_subscriber.start()
 
         while True:
@@ -24,7 +26,7 @@ class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
             print(event)
     """
     def __init__(self):
-        super().__init__('Security', 4688)
+        super().__init__(log_channel=LOG_CHANNEL, event_id=EVENT_ID)
 
     def start(self):
         """Start the subscription process."""
@@ -45,7 +47,19 @@ class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
             If None, the function will block until an event is available.
         :return: A dictionary containing the event data.
         """
-        return super().emit(timeout=timeout)
+
+        data = super().emit(timeout=timeout)
+
+        data['NewProcessIdInt'] = int(data['NewProcessId'], 16)
+        data['ParentProcessIdInt'] = int(data['ProcessId'], 16)
+
+        # if user_sid != "Unknown":
+        #     try:
+        #         user_name, domain, type = win32security.LookupAccountSid(None, user_sid)
+        #     except Exception as e:
+        #         print(f"Error looking up account SID: {e}")
+
+        return data
 
 
 def enable_audit_process_creation(print_kwargs: dict = None):

atomicshop/wrappers/pywin32w/win_event_log/subscribes/process_terminate.py

@@ -0,0 +1,103 @@
+import subprocess
+
+from .. import subscribe
+from .....print_api import print_api
+
+
+LOG_CHANNEL: str = 'Security'
+EVENT_ID: int = 4689
+
+
+class ProcessTerminateSubscriber(subscribe.EventLogSubscriber):
+    """
+    Class for subscribing to Windows Event Log events related to process termination.
+
+    Usage:
+        from atomicshop.wrappers.pywin32w.win_event_log.subscribes import process_terminate
+
+        process_terminate_subscriber = process_terminate.ProcessTerminateSubscriber()
+        process_terminate_subscriber.start()
+
+        while True:
+            event = process_terminate_subscriber.emit()
+            print(event)
+    """
+    def __init__(self):
+        super().__init__(log_channel=LOG_CHANNEL, event_id=EVENT_ID)
+
+    def start(self):
+        """Start the subscription process."""
+        enable_audit_process_termination()
+
+        super().start()
+
+    def stop(self):
+        """Stop the subscription process."""
+        super().stop()
+
+    def emit(self, timeout: float = None) -> dict:
+        """
+        Get the next event from the event queue.
+
+        :param timeout: The maximum time (in seconds) to wait for an event.
+            If None, the function will block until an event is available.
+        :return: A dictionary containing the event data.
+        """
+
+        data = super().emit(timeout=timeout)
+
+        data['ProcessIdInt'] = int(data['ProcessId'], 16)
+
+        return data
+
+
+def enable_audit_process_termination(print_kwargs: dict = None):
+    """
+    Enable the 'Audit Process Termination' policy.
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+    if is_audit_process_termination_enabled():
+        print_api("Audit Process Termination is already enabled.", color='yellow', **(print_kwargs or {}))
+        return
+
+    audit_policy_command = [
+        "auditpol", "/set", "/subcategory:Process Termination", "/success:enable", "/failure:enable"
+    ]
+    try:
+        subprocess.run(audit_policy_command, check=True)
+        print_api("Successfully enabled 'Audit Process Termination'.", color='green', **(print_kwargs or {}))
+    except subprocess.CalledProcessError as e:
+        print_api(f"Failed to enable 'Audit Process Termination': {e}", error_type=True, color='red', **(print_kwargs or {}))
+        raise e
+
+
+def is_audit_process_termination_enabled(print_kwargs: dict = None) -> bool:
+    """
+    Check if the 'Audit Process Termination' policy is enabled.
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+    # Command to check the "Audit Process Creation" policy
+    audit_policy_check_command = [
+        "auditpol", "/get", "/subcategory:Process Termination"
+    ]
+    try:
+        result = subprocess.run(audit_policy_check_command, check=True, capture_output=True, text=True)
+        output = result.stdout
+        # print_api(output)  # Print the output for inspection
+
+        if "Process Termination" in output and "Success and Failure" in output:
+            # print_api(
+            #     "'Audit Process Termination' is enabled for both success and failure.",
+            #     color='green', **(print_kwargs or {}))
+            return True
+        else:
+            # print_api(output, **(print_kwargs or {}))
+            # print_api(
+            #     "'Audit Process Termination' is not fully enabled. Check the output above for details.",
+            #     color='yellow', **(print_kwargs or {}))
+            return False
+    except subprocess.CalledProcessError as e:
+        print_api(f"Failed to check 'Audit Process Termination': {e}", color='red', error_type=True, **(print_kwargs or {}))
+        return False

atomicshop/wrappers/pywin32w/win_event_log/subscribes/schannel_logging.py

@@ -0,0 +1,97 @@
+import winreg
+import sys
+
+from .. import subscribe
+from .....print_api import print_api
+
+
+SCHANNEL_LOGGING_REG_PATH: str = r'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL'
+SCHANNEL_EVENT_LOGGING_KEY: str = 'EventLogging'
+LOG_CHANNEL: str = 'System'
+PROVIDER: str = 'Schannel'
+
+
+class SchannelLoggingSubscriber(subscribe.EventLogSubscriber):
+    """
+    Class for subscribing to Windows Event Log events related to process creation.
+
+    Usage:
+        from atomicshop.wrappers.pywin32w.win_event_log.subscribes import schannel_logging
+
+        process_create_subscriber = schannel_logging.SchannelLoggingSubscriber()
+        process_create_subscriber.start()
+
+        while True:
+            event = process_create_subscriber.emit()
+            print(event)
+    """
+    def __init__(self):
+        super().__init__(log_channel=LOG_CHANNEL, provider=PROVIDER)
+
+    def start(self):
+        """Start the subscription process."""
+        enable_schannel_logging()
+
+        super().start()
+
+    def stop(self):
+        """Stop the subscription process."""
+        super().stop()
+
+    def emit(self, timeout: float = None) -> dict:
+        """
+        Get the next event from the event queue.
+
+        :param timeout: The maximum time (in seconds) to wait for an event.
+            If None, the function will block until an event is available.
+        :return: A dictionary containing the event data.
+        """
+        return super().emit(timeout=timeout)
+
+
+def enable_schannel_logging(logging_value: int = 1, print_kwargs: dict = None):
+    """
+    Value 	Description
+    0x0000 	Do not log
+    0x0001 	Log error messages
+    0x0002 	Log warnings
+    0x0003 	Log warnings and error messages
+    0x0004 	Log informational and success events
+    0x0005 	Log informational, success events and error messages
+    0x0006 	Log informational, success events and warnings
+    0x0007 	Log informational, success events, warnings, and error messages (all log levels)
+    """
+
+    if is_schannel_logging_enabled(logging_value):
+        print_api(
+            "Schannel event logging is already enabled.", color='yellow',
+            **(print_kwargs or {}))
+        return
+
+    try:
+        with winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, SCHANNEL_LOGGING_REG_PATH, 0, winreg.KEY_ALL_ACCESS) as key:
+            winreg.SetValueEx(key, SCHANNEL_EVENT_LOGGING_KEY, 0, winreg.REG_DWORD, logging_value)
+
+        print_api(
+            "Successfully enabled Schannel logging.",
+            color='green', **(print_kwargs or {}))
+        print_api(
+            "Please restart the computer for the changes to take effect.",
+            color='yellow', **(print_kwargs or {}))
+        sys.exit()
+    except WindowsError as e:
+        print_api(
+            f"Failed to enable Schannel event logging: {e}", error_type=True,
+            color='red', **(print_kwargs or {}))
+
+
+def is_schannel_logging_enabled(logging_value: int) -> bool:
+    try:
+        with winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, SCHANNEL_LOGGING_REG_PATH, 0, winreg.KEY_READ) as key:
+            value, regtype = winreg.QueryValueEx(key, SCHANNEL_EVENT_LOGGING_KEY)
+            return value == logging_value
+    except FileNotFoundError:
+        return False
+    except WindowsError as e:
+        print(f"Failed to read the Schannel event logging setting: {e}")
+        return False

{atomicshop-2.14.1.dist-info → atomicshop-2.14.3.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: atomicshop
-Version: 2.14.1
+Version: 2.14.3
 Summary: Atomic functions and classes to make developer life easier
 Author: Denis Kras
 License: MIT License

{atomicshop-2.14.1.dist-info → atomicshop-2.14.3.dist-info}/RECORD

@@ -1,4 +1,4 @@
-atomicshop/__init__.py,sha256=w-I1vM1vpc9PJDvoRTt804j2SwPM8mjp6n5FOtCdutg,123
+atomicshop/__init__.py,sha256=oGFh-WMJw07HDbokeQe5ZNDZSUzB3jHxbH8krJL842c,123
 atomicshop/_basics_temp.py,sha256=6cu2dd6r2dLrd1BRNcVDKTHlsHs_26Gpw8QS6v32lQ0,3699
 atomicshop/_create_pdf_demo.py,sha256=Yi-PGZuMg0RKvQmLqVeLIZYadqEZwUm-4A9JxBl_vYA,3713
 atomicshop/_patch_import.py,sha256=ENp55sKVJ0e6-4lBvZnpz9PQCt3Otbur7F6aXDlyje4,6334
@@ -16,6 +16,8 @@ atomicshop/emails.py,sha256=I0KyODQpIMEsNRi9YWSOL8EUPBiWyon3HRdIuSj3AEU,1410
 atomicshop/file_types.py,sha256=-0jzQMRlmU1AP9DARjk-HJm1tVE22E6ngP2mRblyEjY,763
 atomicshop/filesystem.py,sha256=202ue2LkjI1KdaxvB_RHV-2eIczy2-caZGLO4PSePik,53887
 atomicshop/functions.py,sha256=pK8hoCE9z61PtWCxQJsda7YAphrLH1wxU5x-1QJP-sY,499
+atomicshop/get_process_list.py,sha256=hi1NOG-i8S6EcyQ6LTfP4pdxqRfjEijz9SZ5nEbcM9Q,6076
+atomicshop/get_process_name_cmd_dll.py,sha256=CtaSp3mgxxJKCCVW8BLx6BJNx4giCklU_T7USiCEwfc,5162
 atomicshop/hashing.py,sha256=Le8qGFyt3_wX-zGTeQShz7L2HL_b6nVv9PnawjglyHo,3474
 atomicshop/http_parse.py,sha256=nrf2rZcprLqtW8HVrV7TCZ1iTBcWRRy-mXIlAOzcaJs,9703
 atomicshop/inspect_wrapper.py,sha256=sGRVQhrJovNygHTydqJj0hxES-aB2Eg9KbIk3G31apw,11429
@@ -25,9 +27,7 @@ atomicshop/on_exit.py,sha256=Wf1iy2e0b0Zu7oRxrct3VkLdQ_x9B32-z_JerKTt9Z0,5493
 atomicshop/pbtkmultifile_argparse.py,sha256=aEk8nhvoQVu-xyfZosK3ma17CwIgOjzO1erXXdjwtS4,4574
 atomicshop/permissions.py,sha256=P6tiUKV-Gw-c3ePEVsst9bqWaHJbB4ZlJB4xbDYVpEs,4436
 atomicshop/print_api.py,sha256=DhbCQd0MWZZ5GYEk4oTu1opRFC-b31g1VWZgTGewG2Y,11568
-atomicshop/process.py,sha256=R1BtXWjG2g2Q3WlsyhbIlXZz0UkQeagY7fQyBOIX_DM,15951
-atomicshop/process_name_cmd.py,sha256=CtaSp3mgxxJKCCVW8BLx6BJNx4giCklU_T7USiCEwfc,5162
-atomicshop/process_poller.py,sha256=B91ugFIo84IMFXbWJeW8P7TsIkzYxMXBVWuvYqRXS-c,16107
+atomicshop/process.py,sha256=U2gyRl0bw2138y-rOMABMVptRvAL81ZfX1JyfxJI_Oo,15973
 atomicshop/python_file_patcher.py,sha256=kd3rBWvTcosLEk-7TycNdfKW9fZbe161iVwmH4niUo0,5515
 atomicshop/python_functions.py,sha256=zJg4ogUwECxrDD7xdDN5JikIUctITM5lsyabr_ZNsRw,4435
 atomicshop/question_answer_engine.py,sha256=DuOn7QEgKKfqZu2cR8mVeFIfFgayfBHiW-jY2VPq_Fo,841
@@ -106,10 +106,10 @@ atomicshop/etws/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/etws/const.py,sha256=v3x_IdCYeSKbCGywiZFOZln80ldpwKW5nuMDuUe51Jg,1257
 atomicshop/etws/providers.py,sha256=fVmWi-uGdtnsQTDpu_ty6dzx0GMhGokiST73LNBEJ38,129
 atomicshop/etws/sessions.py,sha256=k3miewU278xn829cqDbsuH_bmZHPQE9-Zn-hINbxUSE,1330
-atomicshop/etws/trace.py,sha256=v2yA3FicR9WIg5n5KlZEuYbLAzTTjiDk7avWxcEjwp8,8439
+atomicshop/etws/trace.py,sha256=KddD6_pXWhB1nr_ZsPTX1W3zayAdy5v0UxDsTcrme_w,7286
 atomicshop/etws/traces/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/etws/traces/trace_dns.py,sha256=-bw7JGDeAl2UtNGoSPeD_gh6ij4IGAbPdB8VWip8fXc,5960
-atomicshop/etws/traces/trace_sysmon_process_creation.py,sha256=WdlQiOfRZC-_PpuE6BkOw5zB0DLc3fhVrANyLrgfCac,4833
+atomicshop/etws/traces/trace_dns.py,sha256=rWQ8bv8eMHBRRkA8oxO9caYqj0h4Emw4aZXmoI3Q6fg,6292
+atomicshop/etws/traces/trace_sysmon_process_creation.py,sha256=OM-bkK38uYMwWLZKNOTDa0Xdk3sO6sqsxoMUIiPvm5g,4656
 atomicshop/file_io/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/file_io/csvs.py,sha256=y8cJtnlN-NNxNupzJgSeGq9aQ4wNxYLFPX9vNNlUiIc,5830
 atomicshop/file_io/docxs.py,sha256=6tcYFGp0vRsHR47VwcRqwhdt2DQOwrAUYhrwN996n9U,5117
@@ -139,13 +139,22 @@ atomicshop/mitm/engines/__reference_general/parser___reference_general.py,sha256
 atomicshop/mitm/engines/__reference_general/recorder___reference_general.py,sha256=KENDVf9OwXD9gwSh4B1XxACCe7iHYjrvnW1t6F64wdE,695
 atomicshop/mitm/engines/__reference_general/responder___reference_general.py,sha256=1AM49UaFTKA0AHw-k3SV3uH3QbG-o6ux0c-GoWkKNU0,6993
 atomicshop/monitor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/monitor/change_monitor.py,sha256=dGhk5bJPxLCHa2FOVkort99E7vjVojra9GlvhpcKSqE,7551
+atomicshop/monitor/change_monitor.py,sha256=K5NlVp99XIDDPnQQMdru4BDmua_DtcDIhVAzkTOvD5s,7673
 atomicshop/monitor/checks/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/monitor/checks/dns.py,sha256=clslElMi2HZaO3G1nXt2t0O2Yj0vFsJd6CXRdIXCGJM,7038
+atomicshop/monitor/checks/dns.py,sha256=GHBQ2GEPaU3hAmK6l2vM2PKTcBNzDDF9ThZixqnl9Qk,7108
 atomicshop/monitor/checks/file.py,sha256=2tIDSlX2KZNc_9i9ji1tcOqupbFTIOj7cKXLyBEDWMk,3263
 atomicshop/monitor/checks/network.py,sha256=CGZWl4WlQrxayZeVF9JspJXwYA-zWx8ECWTVGSlXc98,3825
 atomicshop/monitor/checks/process_running.py,sha256=x66wd6-l466r8sbRQaIli0yswyGt1dH2DVXkGDL6O0Q,1891
 atomicshop/monitor/checks/url.py,sha256=1PvKt_d7wFg7rDMFpUejAQhj0mqWsmlmrNfjNAV2G4g,4123
+atomicshop/process_poller/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+atomicshop/process_poller/process_pool.py,sha256=1CaG6Cov-Pt_kZohfFeQFT42YBnEwNBA6ge55dxok_8,9600
+atomicshop/process_poller/simple_process_pool.py,sha256=hJkrn-efetLjyC8CevAFcsiKwBBKS8onYbf2ygq2J18,4540
+atomicshop/process_poller/tracer_base.py,sha256=IOiHcnmF-MccOSCErixN5mve9RifZ9cPnGVHCIRchrs,1091
+atomicshop/process_poller/pollers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+atomicshop/process_poller/pollers/psutil_pywin32wmi_dll.py,sha256=XRRfOIy62iOYU8IKRcyECWiL0rqQ35DeYbPsv_SHDVM,4510
+atomicshop/process_poller/tracers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+atomicshop/process_poller/tracers/event_log.py,sha256=Ob5v18VPZ__PN8TP6aJJjQZcDMwfGA2pIKwKjrl5j3k,1417
+atomicshop/process_poller/tracers/sysmon_etw.py,sha256=zn5YGX0Uro_Om7Gp1O4r0nlP1cR7BX1nYQmELPLZc9I,2500
 atomicshop/ssh_scripts/process_from_ipv4.py,sha256=uDBKZ2Ds20614JW1xMLr4IPB-z1LzIwy6QH5-SJ4j0s,1681
 atomicshop/ssh_scripts/process_from_port.py,sha256=uDTkVh4zc3HOTTGv1Et3IxM3PonDJCPuFRL6rnZDQZ4,1389
 atomicshop/startup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -251,9 +260,11 @@ atomicshop/wrappers/pywin32w/console.py,sha256=LstHajPLgXp9qQxFNR44QfH10nOnNp3bC
 atomicshop/wrappers/pywin32w/winshell.py,sha256=i2bKiMldPU7_azsD5xGQDdMwjaM7suKJd3k0Szmcs6c,723
 atomicshop/wrappers/pywin32w/wmi_win32process.py,sha256=qMzXtJ5hBZ5ydAyqpDbSx0nO2RJQL95HdmV5SzNKMhk,6826
 atomicshop/wrappers/pywin32w/win_event_log/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/wrappers/pywin32w/win_event_log/subscribe.py,sha256=UztWltQPK_fQ3EWyY6tGfhAqwxDjK7RVIAZppu97rKI,5104
+atomicshop/wrappers/pywin32w/win_event_log/subscribe.py,sha256=FYo2X0Xm3lb3GIdIt_8usoj7JPSDWj0iwsIJ4OwZLQM,8156
 atomicshop/wrappers/pywin32w/win_event_log/subscribes/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-atomicshop/wrappers/pywin32w/win_event_log/subscribes/subscribe_to_process_create.py,sha256=Cviy1n3NSCGswQ4TxAyeDh7d21u8Vt3UOjnLmYYU2fQ,5602
+atomicshop/wrappers/pywin32w/win_event_log/subscribes/process_create.py,sha256=1PrPiDiuiVfzfzN5BUuxMfUoCgGW7RGgH6HVrjpTnQc,6064
+atomicshop/wrappers/pywin32w/win_event_log/subscribes/process_terminate.py,sha256=0k09fiAwKDJO404bjxUWSSSLOiNANl-VTJDD_YLq-I8,3763
+atomicshop/wrappers/pywin32w/win_event_log/subscribes/schannel_logging.py,sha256=8nxIcNcbeEuvoBwhujgh7-oIpL9A6J-gg1NM8hOGAVA,3442
 atomicshop/wrappers/socketw/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/socketw/accepter.py,sha256=HQC1EyZmyUtVEfFbaBkHCE-VZp6RWyd9mEqAkgsE1fk,1749
 atomicshop/wrappers/socketw/base.py,sha256=1vvg8EhRGvnxdrRAm1VJSLCXkm2SZDHRjdpTuhkH3Mg,1844
@@ -270,8 +281,8 @@ atomicshop/wrappers/socketw/socket_server_tester.py,sha256=AhpurHJmP2kgzHaUbq5ey
 atomicshop/wrappers/socketw/socket_wrapper.py,sha256=aXBwlEIJhFT0-c4i8iNlFx2It9VpCEpsv--5Oqcpxao,11624
 atomicshop/wrappers/socketw/ssl_base.py,sha256=k4V3gwkbq10MvOH4btU4onLX2GNOsSfUAdcHmL1rpVE,2274
 atomicshop/wrappers/socketw/statistics_csv.py,sha256=t3dtDEfN47CfYVi0CW6Kc2QHTEeZVyYhc57IYYh5nmA,826
-atomicshop-2.14.1.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
-atomicshop-2.14.1.dist-info/METADATA,sha256=rZNM503plkk4O9jvmeQTuAHA-7JS24mxM3k7bHNo0SA,10478
-atomicshop-2.14.1.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-atomicshop-2.14.1.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
-atomicshop-2.14.1.dist-info/RECORD,,
+atomicshop-2.14.3.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
+atomicshop-2.14.3.dist-info/METADATA,sha256=JhF66mFvmwPdaPxY9XiSY3ZjfBDikdaCzCF2PRNO0Ac,10478
+atomicshop-2.14.3.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+atomicshop-2.14.3.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
+atomicshop-2.14.3.dist-info/RECORD,,