In a computer system, logging of the addition and removal of programs is performed in order to analyze the operation of the entire computer system or monitor the execution of an unauthorized program (thread or process).
Currently, most central processing units (CPUs) each have a performance monitoring counter that serves as a mechanism for counting an event in the CPU, and communicating the event as a communication or a data exchange with an external device, e.g., the number of clocks, the number of executive instructions, and the number of cache misses. Such a performance monitoring counter has a function of generating an interrupt in a specific or specified vector when detecting a specified event and is capable of acquiring accompanying specified event information at the occurrence of the event.
To monitor the addition or removal of a program in a target computer, the following methods have been used.
(1) The contents of an operating system (OS) are altered so that a log of the addition or removal of a program can be captured. Alternatively, the OS is altered so as to include an interface for enabling logging by an external program.
(2) Programs are monitored at regular intervals using a timer interrupt every 1 ms to detect a newly created program or a disappeared program.
According to the method (1), the OS itself has to be altered. In the use of a commercial OS, there are often restrictions on altering the OS. If the OS is to be altered, functions of the OS itself restrict altering the OS in many cases. According to the method (2), since monitoring is performed at regular intervals, a program which has been created and then disappeared during an interval is not captured. When the monitoring interval is shortened in order to capture a program that is created and disappears within a short period, the overhead of the monitoring process is increased. This detrimentally affects the overall system operation.