A local flight recorder for Windows terminal activity and transient process logging.
ShellScope uses Windows Management Instrumentation (WMI) to capture process creation events, including short-lived "flash" processes (under 100ms). It logs command-line arguments to a local SQLite database, providing a comprehensive audit trail of system activity without external dependencies.
- Transient Process Capture: Detects and logs processes with lifespans under 100ms.
- Argument Logging: Captures full command-line arguments for detailed analysis.
- Local-First Architecture: All data is stored locally in SQLite with no cloud uploads.
- Low Resource Usage: Efficient Python backend combined with a performant Flutter UI.
- Frontend: Flutter (Desktop)
- Backend: Python (WMI, SQLite)
- Inter-Process Communication: JSON over stdout/pipes
- Python 3.8 or higher
- Flutter SDK
- Windows OS
-
Clone the repository:
git clone https://github.com/yourusername/shellscope.git cd shellscope -
Install Python requirements:
pip install wmi pywin32
-
Run the Flutter application:
cd shellscope flutter run -d windows
The ShellScope dashboard provides a real-time view of system activity.
- Process List: Displays all captured processes.
- Green: Safe or standard processes.
- Red: Suspicious activity (e.g., commands using
-enc).
- Status Indicator: Shows whether a process is currently "Running" or "Closed".
- Linux Support: Implementation via Netlink.
- macOS Support: Implementation via Endpoint Security or psutil.
- ETW Integration: Integration with Event Tracing for Windows for lower latency event capture.
MIT License