The TCC-RT command interpreter provides a set of “trigger” commands that allow you to monitor activities on your computer and to trigger your computer to take an action based on changes occurring in the computer. This tutorial teaches you how to use them.
Overview
TCC-RT features a number of internal commands to allow you to do real-time monitoring of your system. These commands include:
•FOLDERMONITOR - Monitor folder and/or file creation, modification, and deletion
•EVENTMONITOR - Monitor event logs
•NETMONITOR - Monitor network connections and execute a command when a network is connected or disconnected
•PROCESSMONITOR - monitor processes and execute a command when a process is started or ended
•SERVICEMONITOR - monitor Windows services and execute a command when a service is started, paused, or stopped
•USBMONITOR - monitor USB connections and execute a command when a device is connected or disconnected
•FIREWIREMONITOR - monitor FireWire connections and execute a command when a device is connected or disconnected
•CLIPMONITOR - monitor the Windows Clipboard activity and execute a command when the clipboard is modified.
•DATEMONITOR - Monitor the current Windows system date and time and execute a command when the date and time matches.
•DEBUGMONITOR - Monitor writes to the OutputDebugString API.
•DISKMONITOR - Monitor free disk space.
•REGMONITOR - monitor Windows Registry keys
•SCREENMONITOR - Monitor the Windows screen saver.
•BLUETOOTHMONITOR - Monitor Bluetooth connections and execute a command when a device is connected or disconnected.
•POWERMONITOR - Monitor Windows system power changes.
Using these commands, you can easily watch most activity going on in your computer and provide alerts, such as emails or take actions, such as triggering a batch process if a monitored event occurs.
You can have up to 100 monitoring commands running simultaneously in a single Take Command tab window. The examples below show how simple it is to set up triggers and give you an idea about some of the things you can do with triggers.
Example 1 -- FOLDERMONITOR
FOLDERMONITOR lets you monitor directory and file creation, deletion, renaming, and modification. Let's say you want to watch for a file called "FinalResult.htm" to be created in the "d:\Results" subdirectory, and then copy it to "http://mycompany.com/results/FinalResult.htm"
The traditional approach would be to create a script file that waited forever for the file:
(TCC-RT Syntax) FINAL.CMD:
do forever
iff exist "d:\results\FinalResult.htm" then
copy "d:\results\FinalResult.htm" "http://mycompany.com/results/FinalResult.htm"
del FinalResult.htm
rem Wait for the file again
endiff
Delay 10
enddo
This creates a separate TCC-RT session, wasting memory and continuously requiring a small amount of CPU time.
In TCC-RT you can do the same thing with (on one line):
foldermonitor d:\results /i"FinalResult.htm” created forever
(copy "d:\results\FinalResult.htm" "http://mycompany.com/results/FinalResult.htm" &
del d:\results\FinalResult.htm)
Here is what is happening:
1.Foldermonitor d:\results -- causes the command to watch the subdirectory d:\results
2./i”FinalResult.htm” -- says to include (watch) only files with the name FinalResult.htm in the monitoring
3.created forever -- means that we are looking only for files that are newly created and that we will do this in a continuous loop that will execute forever
4.(copy "d:\results\FinalResult.htm" "http://mycompany.com/results/FinalResult.htm" & del d:\results \FinalResult.htm) - will copy the new file to a website and deletes the file from the d:\results directory after it has been copied. You could execute a batch file here instead of creating a command group as we have done.
This command creates a separate thread in the current TCC-RT session.
FOLDERMONITOR also creates four environment variables when a file or folder is created, deleted, modified, or renamed that can be queried by the command. The variables are deleted after the command is executed.
•_folderaction -- The type of change to the file or folder. The possible values are:
oCREATED
oDELETED
oMODIFIED This includes changing the file size, attributes or the date/time stamp.
oRENAMED
•foldername -- The name of the folder being monitored
•folderfile1 -- The name of the file or folder that was created/deleted/modified/renamed. If the file was renamed, folderfile1 is the old name.
•_folderfile2 -- If a file was renamed, folderfile2 is the new name
If you want to test for multiple changes, you should put the condition tests in a single FOLDERMONITOR command; otherwise FOLDERMONITOR will create a thread for each command (wasting your memory and CPU time).
For example, the following command will wait for any file to be created or changed in the d:\results directory and copy them to the web directory:
foldermonitor d:\results created modified forever (copy "%_folderfile1" "http://mycompany.com/results/")
Example 2 -- PROCESSMONITOR
PROCESSMONITOR monitors program starts and exits.
For example, if you want to be alerted with an email whenever a particular application exits:
processmonitor myapp* ended forever (sendmail [email protected] myapp Myapp just shut down!)
Here is what is happening:
1. processmonitor myapp* -- looks for any process with a name beginning with “myapp”
2. ended forever -- means that we are looking only for processes that have terminated (for any reason)
3. (sendmail [email protected] myapp Myapp just shut down!) - creates and sends an email using the internal TCC-RT Sendmail command to [email protected] with a subject of “myapp” and message text of “”myapp just shut down”
This is good for making sure that key production processes are operating as expected.
You can also use processmonitor to watch for specific processes being started. Maybe there is a virus that has escaped in your company that executes a malicious process -- call it malproc. The following script will look for the process running on a machine, kill it and send you an email identifying where the infection is.
processmonitor malproc started forever
(taskend /F malproc & sendmail [email protected] malproc I have malproc on my computer!)
This code does the following:
4. processmonitor malproc -- looks for any process with a name malproc
5. started forever -- means that we are looking only for processes that have just started (for any reason)
6. (taskend /F malproc & sendmail [email protected] malproc I have malproc on my computer) - uses the TCC-RT TASKEND command to force (/F) malproc to terminate immediately and then creates and sends an email using the internal TCC-RT Sendmail command to [email protected] with a subject of “malproc” and message text of “”I have malproc on my machine”
The TCC-RT triggers are exceptionally powerful and flexible commands that give you the ability to monitor and manage your computers like never before.