ShellScope is a local flight recorder for these transient processes. It monitors the creation of terminal instances (cmd, powershell, wt) and logs their activity to a local SQLite database.
The architecture consists of two parts: 1. A Python backend that uses WMI (Windows Management Instrumentation) to hook into Win32_ProcessStartTrace events. This allows it to capture the process name, the parent process ID, and the full command line arguments before the process terminates. 2. A Flutter frontend that visualizes the logs in real time.
Current features in this MVP: Captures processes that live for less than 100ms. Logs full command line arguments to help identify hidden scripts. Highlights suspicious keywords (like "-enc" or "hidden"). Stores all data locally with no cloud dependency.
I am currently using WMI for the monitoring layer. I am aware this has some latency compared to a kernel driver, but it was easier to implement for an MVP.
I would appreciate feedback on the architecture, specifically on moving from WMI to ETW (Event Tracing for Windows) for better performance.
Project Page: https://shiks2.github.io/shellscope