Endpoint Administration Guide for Windows › Managing Endpoints › What Is CA ControlMinder? › How Instrumentation Works?

How Instrumentation Works?

Instrumentation is a method that enables CA ControlMinder to monitor, track and change the execution flow of applications. Instrumentation enables CA ControlMinder to monitor system processes, intercept and implement a proprietary module in the application address space.

The instrumentation process consists of two phases: the kernel instrumentation phase and the user-mode instrumentation phase.

Note: For more information about kernel and user-mode interceptions, refer to the Protecting Accounts chapter. For more information about instrumentation, see the Reference Guide.

The following diagram illustrates the instrumentation process:

In the kernel instrumentation phase, CA ControlMinder performs the following:

1. CA ControlMinder loads the instrumentation driver (cainstrm.sys) on system startup.
2. A new process event is created as a result of a user or program action.
3. In fixed intervals the instrumentation driver scans the registry hive for instrumentation-approved processes.

   You specify the list of instrumentation-approved processes using the instrumentation ApplyonProcesses registry key. For more information about the instrumentation registry keys, see the Reference Guide.

4. When CA ControlMinder identifies a new process event, it searches for the processes name in the list of approved processes. If found the driver injects the instrumentation dll into the process address space.

In the user-mode instrumentation phase, CA ControlMinder performs the following:

1. The instrumentation dll scans the instrumentation registry hive to identify the plug-ins to load into the process address space and does one of the following:
   • Loads all listed plug-ins in to the processes memory address. Continues to step 2.
   • Unloads itself if no plug-ins are listed.
2. CA ControlMinder executes hooking procedures based on the specific functions that each plug-in contains using the Microsoft Detours library.

   Microsoft Detours is a library for instrumenting Win32 functions. For more information about Microsoft Detours, see the Microsoft Detours web site.