How to use Capture BAT
Capture BAT is can be started from the command line executing CaptureBAT.exe. This will load the monitors and start outputting the system events to the screen. To instruct Capture BAT to log the system events, this can be specified by the flag '-l output_file_name'. To exit the application cleanly, press 'q' and enter. To control which events are reported and which omitted, configure the exclusion lists as described below and restart Capture BAT
There is one exclusion list for each monitor: FileSystemMonitor.exl, RegistryMonitor.exl, and ProcessMonitor.exl. These lists are simple text based files. The default policy of the exclusion list is to report all events. Each row within the exclusion list allows specification of an exclusion list rule. Each value can be expressed using regular expression which allows to group exclusions into one line. A user can specify omission or inclusion of events by event type and the object name. An omission is denoted by a plus and an explicit inclusion by a minus sign at the beginning of the rule. This allows one to omit a larger group of events and then overwrite these settings for a subset of events to be included. The exclusion list is processed in sequence to determine the final rules that should be applied. The exclusion lists that are provided with capture exclude events on a clean idle Windows XP SP2 installation.
With version 2.0, Capture BAT can be instructed to record some additional information besides the system events. The file monitor will backup any deleted files (before they are deleted) and modified files that are not excluded (state after they are modified) into the logs directory. To enable this functionality, one needs to start Capture with flag '-c'. in addition, Capture BAT is able to capture the network traffic on the machine (non-promiscious) in a pcap file, that is placed into the logs directory as well. As Capture BAT process quits, the log directory is zipped up and the zip file placed into the Capture BAT home directory.
