System Events
ExperimentalReal-time kernel event capture via WDM driver with SQLite persistence.
Event Types
17 event types across 5 categories:
| Category | Events |
|---|---|
| Process | ProcessCreate, ProcessExit |
| Thread | ThreadCreate, ThreadExit |
| Image | ImageLoad (DLL/EXE loading) |
| Handle | ProcessHandleCreate, ProcessHandleDuplicate, ThreadHandleCreate, ThreadHandleDuplicate |
| Registry | RegistryCreate, RegistryOpen, RegistrySetValue, RegistryDeleteKey, RegistryDeleteValue, RegistryRenameKey, RegistryQueryValue |
Storage
- • Database —
%LOCALAPPDATA%\DioProcess\events.db - • Engine — SQLite with WAL mode for concurrent access
- • Batched writes — 500 events or 100ms flush interval
- • Retention — 24-hour auto-cleanup (runs hourly)
UI Features
- • Event table — Time, Type, PID, Process Name, Details
- • Pagination — 500 events per page with navigation
- • Category filter — Process, Thread, Image, Handle, Registry
- • Type filter — Individual event types
- • Search filter — PID, process name, command line, image name, registry key
- • Auto-refresh — 1-second polling when driver loaded
- • Color coding — Visual distinction by event type
- • CSV export — Export current page
- • Clear all — Delete all events from database
Event Details
Process Events
- • PID, Parent PID
- • Command line
- • Creating process ID
- • Exit code (for exit events)
Image Load Events
- • Image base address
- • Image size
- • Full image path
- • System/Kernel image flags
Handle Events
- • Source process/thread ID
- • Target process/thread ID
- • Desired/Granted access
- • Kernel handle flag
Registry Events
- • Key name
- • Value name (if applicable)
- • Operation type
- • Status code
Kernel Callbacks Used
- •
PsSetCreateProcessNotifyRoutineEx— Process events - •
PsSetCreateThreadNotifyRoutine— Thread events - •
PsSetLoadImageNotifyRoutine— Image load events - •
ObRegisterCallbacks— Handle operation events - •
CmRegisterCallbackEx— Registry events
Usage
- Ensure the kernel driver is loaded
- Navigate to System Events tab
- Events will stream in automatically
- Use filters to focus on specific event types
- Click on events for detailed information