Event Monitoring in TCC-RT

The TCC-RT command interpreter provides a set of “trigger” commands that allow you to monitor activities on your computer and to trigger your computer to take an action based on changes occurring in the computer. This tutorial teaches you how to use them.

 

Overview

 

TCC-RT features a number of internal commands to allow you to do real-time monitoring of your system. These commands include:

 

FOLDERMONITOR - Monitor folder and/or file creation, modification, and deletion

EVENTMONITOR - Monitor event logs

NETMONITOR - Monitor network connections and execute a command when a network is connected or disconnected

PROCESSMONITOR - monitor processes and execute a command when a process is started or ended

SERVICEMONITOR - monitor Windows services and execute a command when a service is started, paused, or stopped

USBMONITOR - monitor USB connections and execute a command when a device is connected or disconnected

FIREWIREMONITOR - monitor FireWire connections and execute a command when a device is connected or disconnected

CLIPMONITOR - monitor the Windows Clipboard activity and execute a command when the clipboard is modified.

DATEMONITOR - Monitor the current Windows system date and time and execute a command when the date and time matches.

DEBUGMONITOR - Monitor writes to the OutputDebugString API.

DISKMONITOR - Monitor free disk space.

REGMONITOR - monitor Windows Registry keys

SCREENMONITOR - Monitor the Windows screen saver.

BLUETOOTHMONITOR - Monitor Bluetooth connections and execute a command when a device is connected or disconnected.

POWERMONITOR - Monitor Windows system power changes.

 

Using these commands, you can easily watch most activity going on in your computer and provide alerts, such as emails or take actions, such as triggering a batch process if a monitored event occurs.

 

You can have up to 100 monitoring commands running simultaneously in a single Take Command tab window. The examples below show how simple it is to set up triggers and give you an idea about some of the things you can do with triggers.

 

Example 1 -- FOLDERMONITOR

 

FOLDERMONITOR lets you monitor directory and file creation, deletion, renaming, and modification. Let's say you want to watch for a file called "FinalResult.htm" to be created in the "d:\Results" subdirectory, and then copy it to "http://mycompany.com/results/FinalResult.htm"

 

The traditional approach would be to create a script file that waited forever for the file:

 

(TCC-RT Syntax) FINAL.CMD:

 

do forever

iff exist "d:\results\FinalResult.htm" then

copy "d:\results\FinalResult.htm" "http://mycompany.com/results/FinalResult.htm"

del FinalResult.htm

rem Wait for the file again

endiff

Delay 10

enddo

 

This creates a separate TCC-RT session, wasting memory and continuously requiring a small amount of CPU time.

 

In TCC-RT you can do the same thing with (on one line):

 

foldermonitor d:\results /i"FinalResult.htm” created forever

(copy "d:\results\FinalResult.htm" "http://mycompany.com/results/FinalResult.htm" &

del d:\results\FinalResult.htm)

 

Here is what is happening:

 

1.Foldermonitor d:\results -- causes the command to watch the subdirectory d:\results

2./i”FinalResult.htm” -- says to include (watch) only files with the name FinalResult.htm in the monitoring

3.created forever -- means that we are looking only for files that are newly created and that we will do this in a continuous loop that will execute forever

4.(copy "d:\results\FinalResult.htm" "http://mycompany.com/results/FinalResult.htm" & del d:\results \FinalResult.htm) - will copy the new file to a website and deletes the file from the d:\results directory after it has been copied. You could execute a batch file here instead of creating a command group as we have done.

 

This command creates a separate thread in the current TCC-RT session.

 

FOLDERMONITOR also creates four environment variables when a file or folder is created, deleted, modified, or renamed that can be queried by the command. The variables are deleted after the command is executed.

 

_folderaction -- The type of change to the file or folder. The possible values are:

oCREATED

oDELETED

oMODIFIED This includes changing the file size, attributes or the date/time stamp.

oRENAMED

foldername -- The name of the folder being monitored

folderfile1 -- The name of the file or folder that was created/deleted/modified/renamed. If the file was renamed, folderfile1 is the old name.

_folderfile2 -- If a file was renamed, folderfile2 is the new name

 

If you want to test for multiple changes, you should put the condition tests in a single FOLDERMONITOR command; otherwise FOLDERMONITOR will create a thread for each command (wasting your memory and CPU time).

For example, the following command will wait for any file to be created or changed in the d:\results directory and copy them to the web directory:

 

foldermonitor d:\results created modified forever (copy "%_folderfile1" "http://mycompany.com/results/")

 

Example 2 -- PROCESSMONITOR

 

PROCESSMONITOR monitors program starts and exits.

 

For example, if you want to be alerted with an email whenever a particular application exits:

 

processmonitor myapp* ended forever (sendmail [email protected] myapp Myapp just shut down!)

 

Here is what is happening:

 

1. processmonitor myapp* -- looks for any process with a name beginning with “myapp”

2. ended forever -- means that we are looking only for processes that have terminated (for any reason)

3. (sendmail [email protected] myapp Myapp just shut down!) - creates and sends an email using the internal TCC-RT Sendmail command to [email protected] with a subject of “myapp” and message text of “”myapp just shut down”

 

This is good for making sure that key production processes are operating as expected.

 

You can also use processmonitor to watch for specific processes being started. Maybe there is a virus that has escaped in your company that executes a malicious process -- call it malproc. The following script will look for the process running on a machine, kill it and send you an email identifying where the infection is.

 

processmonitor malproc started forever

(taskend /F malproc & sendmail [email protected] malproc I have malproc on my computer!)

 

This code does the following:

 

4. processmonitor malproc -- looks for any process with a name malproc

5. started forever -- means that we are looking only for processes that have just started (for any reason)

6. (taskend /F malproc & sendmail [email protected] malproc I have malproc on my computer) - uses the TCC-RT TASKEND command to force (/F) malproc to terminate immediately and then creates and sends an email using the internal TCC-RT Sendmail command to [email protected] with a subject of “malproc” and message text of “”I have malproc on my machine”

 

The TCC-RT triggers are exceptionally powerful and flexible commands that give you the ability to monitor and manage your computers like never before.