User-Friendly Process Behavior Monitoring Tool Orathai Sukwong Many Windows users may experience a situation that they cannot decide whether to allow the execution of unknown files. If they know what this file that they are about to execute is doing, they should be able to make a decision wisely. Even users decide to allow the execution; they should be able to monitor the program behavior so that they can cease the execution once the program behaves maliciously. Program behavior can be create/write/delete files or registry. Unfortunately, none of existing tools that I am aware of can provide that information in a user-friendly and understandable manner. This tool will consist of two main parts: the kernel-level monitor driver and the user-level program. This tool will capture the create/read/write/delete operations of file system and registry, plus some part of kernel memory. Its driver has to be implemented efficiently so that it does not post noticeable burden to users and it can be run invisibly in background. The user-level program will write the monitoring data into a log file. There monitoring data will be used to generate a relationship graph between processes and resources such as files and registry. This graph should provide both high-level views of the processes so that users can understand and technical details of all operations for further process analysis. The driver is implemented in C. One part of the user-level program is implemented in C and the other part is written in Java. This tool can be deployed directly on top of Windows-based hosts or in conjunction with a virtual machine such as VMware or Xen.