Raw Events

If you click the name of the process, you are redirected to the Process details of the selected process. Use filters at the top of the screen to refine the list of displayed items. Click Show Sub-Process Events - If you want to see the child process events as well.

The process tree on the right side - The process tree reflects the parent-child relationship between processes where child processes are shown directly beneath their parent and right-indented. Processes that are on the left are orphans.


important

Older versions of Windows do not produce WMI events. This functionality is available since Windows 10 version 1803.

Some of the events provide only partial information:

File write events - Only the first file change is recorded (This is per process. If two processes change the same file, both changes are recorded).

Registry related events - Only the first registry key change is recorded (first time by a process).

DLLLoad - Only dll's which AV does not whitelist are recorded.

TcpIp events - Only the first connection is recorded (first time by a process).

Http events - Only the first request is recorded (first time by a process).

ModuleDrop (a.k.a PEDrop) - It is reported only for the first drop of a given module (first time on a computer).

AmsiTriggerEvent - Only the first execution is recorded (first time on a computer).

Use the action buttons to limit the view of listed processes.