I am trying to compiler the code in https://blog.securehat.co.uk/detection-experiments/detecting-parent-process-spoofing-using-krabsetw which is supposed to detect process creation. I see that the code is only able to detect process created by powershell.
Why is it so?