Configuring Sysinternals Process Monitor for a Low Altitude trace
search cancel

Configuring Sysinternals Process Monitor for a Low Altitude trace

book

Article ID: 217897

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Protection

Issue/Introduction

You need to configure SysInternals Process Monitor to capture a low altitude trace.

Environment

Windows

Resolution

  1. Download procmon.exe from the Microsoft Windows Sysinternals website.
  2. Launch procmon.exe and accept the EULA.
  3. Open regedit.exe
  4. Navigate to:
    HKLM\SYSTEM\CurrentControlSet\Services\PROCMON24\Instances\Process Monitor 24 Instance
  5. Update the Altitude value to 45100 as shown below:
  6. Right-click the "Process Monitor 24 Instance" key and click Permissions...
  7. Click the Advanced button.
  8. Click the Disable inheritance button.
  9. Select "Convert inherited permissions into explicit permissions on this object".
  10. Click the Add... button on the Permissions tab.
  11. Click the "Select Principal" link.
  12. Type "everyone" (without quotes) into the "Enter the object name to select" text box.
  13. Click Check Names, then OK.
  14. Set the Permission Entry Type to "Deny".
  15. Click the "Show advanced permissions" link.
  16. Ensure that the only permissions selected are "Set Value" and "Delete" (uncheck "Read Control" if checked).
  17. Click OK, OK, Yes, OK.

The Special Permissions Entry for Everyone should look like the following at the end of this process:

Powered by Wolken Software