[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80016":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":12,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":14,"stars30d":14,"stars90d":14,"forks30d":14,"starsTrendScore":14,"compositeScore":15,"rankGlobal":10,"rankLanguage":10,"license":16,"archived":17,"fork":17,"defaultBranch":18,"hasWiki":19,"hasPages":17,"topics":20,"createdAt":10,"pushedAt":10,"updatedAt":21,"readmeContent":22,"aiSummary":23,"trendingCount":14,"starSnapshotCount":14,"syncStatus":24,"lastSyncTime":25,"discoverSource":26},80016,"ProcMon-MCP","0xhackerfren\u002FProcMon-MCP","0xhackerfren","An MCP to expose process monitoring and ETW tracing functionally to AI agents to assist in security work ","",null,"Python",69,4,0,42.1,"MIT License",false,"main",true,[],"2026-06-12 04:01:26","# procmon-mcp\n\n[![Python 3.10+](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fpython-3.10%2B-blue)](https:\u002F\u002Fgithub.com\u002F0xhackerfren\u002FProcMon-MCP)\n[![License: MIT](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-MIT-blue.svg)](LICENSE)\n[![CI](https:\u002F\u002Fgithub.com\u002F0xhackerfren\u002FProcMon-MCP\u002Factions\u002Fworkflows\u002Fci.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002F0xhackerfren\u002FProcMon-MCP\u002Factions\u002Fworkflows\u002Fci.yml)\n\nAn MCP server that gives AI assistants deep visibility into Windows internals: processes, ETW kernel traces, event logs, services, drivers, minifilters, and static PE analysis. Built for security researchers, reverse engineers, and anyone who wants an LLM that can actually see what Windows is doing.\n\n> **This is a proof of concept (POC). Use at your own risk.**\n>\n> procmon-mcp interacts directly with sensitive Windows internals: kernel ETW traces, process memory, security event logs, service\u002Fdriver enumeration, and UAC elevation requests. These operations can affect system stability, expose sensitive data, and require administrator privileges. There are no guardrails beyond what Windows itself enforces. **Review the tool list, understand what each tool does, and run this only in environments you control.** The authors assume no liability for misuse or unintended consequences.\n\n## Why?\n\nLLMs are blind to what your OS is doing. Every time you need process info, network connections, or trace data, you're alt-tabbing to Task Manager, Process Monitor, or PowerShell and pasting results back. procmon-mcp eliminates that loop -- your AI assistant can directly query 18 tools covering live process state, kernel ETW traces, PE internals, event logs, services, drivers, and minifilters. Ask a question, get structured data, stay in flow.\n\n## Quickstart\n\n```\npip install procmon-mcp\n```\n\nOr run without installing:\n\n```\nuvx procmon-mcp\n```\n\n## Example prompts\n\nOnce connected, try asking your AI assistant:\n\n- \"What processes are making network connections right now?\"\n- \"Start an ETW trace, launch notepad, stop the trace, and show me what happened\"\n- \"Analyze the PE imports of C:\\Windows\\System32\\cmd.exe and categorize the APIs\"\n- \"Are any non-Microsoft services running? Show me their binary paths\"\n- \"Show me recent logon events from the Security log\"\n- \"Take a 30-second timed capture of all svchost processes and summarize the changes\"\n- \"List all minifilter drivers and their altitudes\"\n- \"What AV products does SecurityCenter2 report?\"\n\n## Features\n\n- **Processes** -- list, detailed metadata (modules, threads, command line, memory), point-in-time snapshots, timed multi-snapshots with optional trigger commands\n- **ETW** -- start\u002Fstop kernel traces with logman and tracerpt, list providers, preview CSV and summary output\n- **Network** -- TCP and UDP endpoint enumeration with owning process filters\n- **Services and drivers** -- service listing with binary paths, kernel driver enumeration, fltmc minifilter output\n- **PE analysis** -- static import\u002Fexport extraction with API category tags (Kernel API, Native API, Win32, Driver)\n- **Event logs** -- Get-WinEvent queries and a Security log convenience wrapper for audit event IDs (4688, 4624, 4672, 4648)\n- **System** -- OS build, AV product snapshot, elevation capability matrix, UAC helper\n- **Presets** -- Defender process\u002Fservice\u002Fdriver constants and scan trigger helpers\n\n## How it compares\n\nprocmon-mcp is the most comprehensive live Windows monitoring MCP server available. With 18 tools spanning processes, ETW kernel tracing, PE analysis, event logs, services, drivers, and minifilters, it covers more ground than any other single MCP server for live Windows internals. Other tools in this space either focus narrowly (process listing only, event logs only) or do offline forensics from Linux. procmon-mcp gives your AI assistant direct, real-time access to the full Windows instrumentation stack.\n\n## MCP client configuration\n\n### Cursor\n\nAdd to your MCP settings (`.cursor\u002Fmcp.json` or global settings):\n\n```json\n{\n  \"mcpServers\": {\n    \"procmon-mcp\": {\n      \"command\": \"procmon-mcp\",\n      \"args\": []\n    }\n  }\n}\n```\n\nIf you installed into a virtual environment, use `python -m procmon_mcp`:\n\n```json\n{\n  \"mcpServers\": {\n    \"procmon-mcp\": {\n      \"command\": \"python\",\n      \"args\": [\"-m\", \"procmon_mcp\"],\n      \"cwd\": \"C:\\\\path\\\\to\\\\your\\\\venv\\\\Scripts\"\n    }\n  }\n}\n```\n\n### Claude Desktop\n\nAdd to `claude_desktop_config.json`:\n\n```json\n{\n  \"mcpServers\": {\n    \"procmon-mcp\": {\n      \"command\": \"procmon-mcp\",\n      \"args\": []\n    }\n  }\n}\n```\n\n## Tool reference\n\n| Tool | Description | Required parameters |\n|------|-------------|---------------------|\n| `list_processes` | Processes with optional name\u002FPID filter | none |\n| `get_process_details` | Modules, threads, command line, memory | none |\n| `capture_snapshot` | Point-in-time process, module, and network snapshot | none |\n| `timed_capture` | Repeated snapshots over a duration | none |\n| `start_etw_trace` | Start a kernel ETW trace (requires elevation) | `session_name` |\n| `stop_etw_trace` | Stop trace and convert ETL output | `session_name` |\n| `list_etw_providers` | Parse `logman query providers` | none |\n| `get_network_connections` | TCP\u002FUDP endpoints by process | none |\n| `list_services` | Win32 services with paths | none |\n| `list_drivers` | Kernel drivers via WMI | none |\n| `get_minifilters` | `fltmc` filter and instance output | none |\n| `analyze_pe` | Static PE imports and exports | `file_path` |\n| `find_pe_files` | Recursive PE file discovery | `directory` |\n| `query_event_log` | `Get-WinEvent` FilterHashtable query | none |\n| `get_security_events` | Security log (IDs 4688, 4624, 4672, 4648) | none |\n| `get_system_info` | OS build and AV snapshot | none |\n| `check_elevation` | Capability matrix | none |\n| `request_elevation` | UAC helper for a shell command | `command` |\n\nAll tools accept optional parameters beyond those listed. See tool schemas for details.\n\n## Elevation\n\nSeveral capabilities require an elevated (administrator) token:\n\n- **`start_etw_trace`** and **`stop_etw_trace`** use `logman` real-time sessions (`-ets`).\n- **`get_security_events`** reads the Security log.\n\nOther tools run without elevation but may return partial results when Windows blocks enumeration (protected processes, restricted logs). Use **`check_elevation`** for the full capability matrix.\n\n## Presets\n\nThe Defender preset (`procmon_mcp.presets.defender`) provides constants (`DEFENDER_PROCESSES`, `DEFENDER_SERVICES`, `DEFENDER_DRIVERS`), binary discovery, `MpCmdRun` resolution, `trigger_scan`, and `get_preset_config`. MCP tools stay generic and preset-agnostic.\n\n## Development\n\n```\npip install -e \".[dev]\"\nruff check .\npytest\n```\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for full guidelines.\n\n## Security\n\n**This is a POC. The operations performed are sensitive by nature.** This tool reads process memory, enumerates kernel drivers, starts ETW trace sessions, queries security audit logs, and can trigger UAC elevation prompts. Run it only on machines you own or have explicit authorization to instrument. Never point it at production systems without understanding the implications. See [SECURITY.md](SECURITY.md) for our security policy and responsible disclosure process.\n\n## License\n\nMIT. See [LICENSE](LICENSE).\n","ProcMon-MCP 是一个旨在为AI助手提供Windows内部进程监控和ETW跟踪功能的MCP服务器。它允许安全研究人员、逆向工程师等通过18种工具直接查询系统状态，包括实时进程信息、内核ETW追踪、事件日志、服务与驱动枚举及静态PE分析等功能。该工具使用Python编写，并且支持Python 3.10及以上版本。ProcMon-MCP特别适用于需要深入理解或调试Windows操作系统行为的情景下，如安全审计、恶意软件分析等领域。请注意，由于其操作涉及敏感的系统内部资源，使用时需谨慎并确保在可控环境中运行。",2,"2026-06-11 03:58:55","CREATED_QUERY"]