feat: implement ETW-based real-time monitoring for process and registry

Author: stylebending

Cargo.lock

@@ -3,7 +3,7 @@ resolver = "2"
 members = ["actions", "bus", "engine", "engine_core", "rules"]
 
 [workspace.package]
-version = "0.1.2"
+version = "0.1.3"
 edition = "2024"
 authors = ["Your Name"]
 license = "MIT"

Cargo.toml

@@ -10,8 +10,18 @@ A universal event automation system for Windows built in Rust. Monitor file syst
 ### Event Sources
 - **File System Watcher** - Monitor file creation, modification, deletion with pattern matching
 - **Window Event Monitor** - Track window focus, creation, destruction using Win32 API
-- **Process Monitor** - Detect process start/stop events with filtering
-- **Registry Monitor** - Watch registry key changes in real-time
+- **Process Monitor** - Kernel-level ETW process monitoring with real-time events (process, thread, file I/O, network)
+  - **Requires Administrator privileges**
+  - Process start/stop events with full details (PID, parent PID, command line, session ID)
+  - Thread creation/destruction monitoring
+  - File I/O operations per process
+  - Network connections per process
+- **Registry Monitor** - Kernel-level ETW registry monitoring with real-time events
+  - **Requires Administrator privileges**
+  - Registry key creation, deletion, modification
+  - Registry value set, delete, modify operations
+  - Process context for each operation
+  - Filter by registry hive and path
 
 ### Rule Engine
 - Pattern-based matching using glob syntax (`*.txt`, `**/*.log`)
@@ -115,7 +125,10 @@ enabled = false
 [[sources]]
 name = "process_monitor"
 type = "process_monitor"
-poll_interval_seconds = 2
+process_name = "chrome"
+monitor_threads = false
+monitor_files = false
+monitor_network = false
 enabled = false
 
 # Registry monitor - watch for system changes
@@ -227,8 +240,8 @@ engine.exe --uninstall
 │  Event Sources:                                         │
 │  ├── File Watcher (notify crate)                        │
 │  ├── Window Watcher (Win32 API)                         │
-│  ├── Process Monitor (EnumProcesses)                    │
-│  └── Registry Monitor (RegNotifyChangeKeyValue)         │
+│  ├── Process Monitor (ETW - kernel-level real-time)     │
+│  └── Registry Monitor (ETW - kernel-level real-time)    │
 │                                                         │
 │  Event Bus (tokio mpsc channels)                        │
 │                                                         │
@@ -302,11 +315,29 @@ The engine supports the following event types:
 - `WindowUnfocused` - Window lost focus
 
 ### Process Events
-- `ProcessStarted` - New process launched
-- `ProcessStopped` - Process terminated
-
-### Registry Events
-- `RegistryChanged` - Registry value modified
+- `ProcessStarted` - New process launched (includes PID, parent PID, name, path, command line, session ID, user)
+- `ProcessStopped` - Process terminated (includes PID, name, exit code)
+
+### Thread Events
+- `ThreadCreated` - New thread created in a process (includes PID, TID, start address)
+- `ThreadDestroyed` - Thread terminated (includes PID, TID)
+
+### File I/O Events (Process Context)
+- `FileAccessed` - File accessed by a process (includes PID, path, access mask)
+- `FileIoRead` - File read operation (includes PID, path, bytes read)
+- `FileIoWrite` - File write operation (includes PID, path, bytes written)
+- `FileIoDelete` - File deleted by a process (includes PID, path)
+
+### Network Events
+- `NetworkConnectionCreated` - New network connection (includes PID, local/remote addresses, protocol)
+- `NetworkConnectionClosed` - Network connection closed (includes PID, addresses)
+
+### Registry Events (via ETW - includes process context)
+- `RegistryChanged` - Registry operation detected with change type:
+  - **Created** - New registry key created
+  - **Modified** - Registry value modified or set
+  - **Deleted** - Registry key or value deleted
+- **Event metadata includes**: Process name, Process ID, Registry path, Value name (if applicable)
 
 ## Development
 

README.md

@@ -18,7 +18,7 @@ tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["fmt"] }
 notify = "6"
 clap = { version = "4", features = ["derive"] }
-windows = { version = "0.52", features = ["Win32_Foundation", "Win32_UI_WindowsAndMessaging", "Win32_UI_Accessibility", "Win32_System_Threading", "Win32_System_ProcessStatus", "Win32_System_Registry", "Win32_System_Services", "Win32_Security"] }
+windows = { version = "0.52", features = ["Win32_Foundation", "Win32_UI_WindowsAndMessaging", "Win32_UI_Accessibility", "Win32_System_Threading", "Win32_System_ProcessStatus", "Win32_System_Registry", "Win32_System_Services", "Win32_Security", "Win32_System_Diagnostics_Etw", "Win32_Storage_FileSystem", "Win32_System_Time", "Win32_System_Diagnostics_ToolHelp"] }
 windows-service = "0.8"
 lazy_static = "1.4"
 regex = "1"

engine/Cargo.toml

@@ -71,8 +71,12 @@ pub enum SourceType {
     ProcessMonitor {
         #[serde(default)]
         process_name: Option<String>,
-        #[serde(default = "default_poll_interval")]
-        poll_interval_seconds: u64,
+        #[serde(default)]
+        monitor_threads: bool,
+        #[serde(default)]
+        monitor_files: bool,
+        #[serde(default)]
+        monitor_network: bool,
     },
     RegistryMonitor {
         root: String,
@@ -86,10 +90,6 @@ fn default_true() -> bool {
     true
 }
 
-fn default_poll_interval() -> u64 {
-    2
-}
-
 #[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct RuleConfig {
     pub name: String,

engine/src/config.rs

@@ -165,10 +165,14 @@ impl Engine {
             }
             SourceType::ProcessMonitor {
                 process_name,
-                poll_interval_seconds,
+                monitor_threads,
+                monitor_files,
+                monitor_network,
             } => {
                 let mut plugin = ProcessMonitorPlugin::new(&config.name)
-                    .with_poll_interval(*poll_interval_seconds);
+                    .with_thread_monitoring(*monitor_threads)
+                    .with_file_monitoring(*monitor_files)
+                    .with_network_monitoring(*monitor_network);
 
                 if let Some(name) = process_name {
                     plugin = plugin.with_name_filter(name);
@@ -288,14 +292,19 @@ impl Engine {
             TriggerConfig::ProcessStarted { process_name: _ } => Box::new(EventKindMatcher {
                 kind: EventKind::ProcessStarted {
                     pid: 0,
+                    parent_pid: 0,
                     name: String::new(),
+                    path: String::new(),
                     command_line: String::new(),
+                    session_id: 0,
+                    user: String::new(),
                 },
             }),
             TriggerConfig::ProcessStopped { process_name: _ } => Box::new(EventKindMatcher {
                 kind: EventKind::ProcessStopped {
                     pid: 0,
                     name: String::new(),
+                    exit_code: None,
                 },
             }),
             TriggerConfig::RegistryChanged { value_name: _ } => Box::new(EventKindMatcher {