Configuring Sysinternals Process Monitor for a Low Altitude trace
search cancel

Configuring Sysinternals Process Monitor for a Low Altitude trace


Article ID: 217897


Updated On:


Data Loss Prevention Endpoint Protection


You need to configure SysInternals Process Monitor to capture a low altitude trace.




  1. Download procmon.exe from the Microsoft Windows Sysinternals website.
  2. Launch procmon.exe and accept the EULA.
  3. Open regedit.exe
  4. Navigate to:
    HKLM\SYSTEM\CurrentControlSet\Services\PROCMON24\Instances\Process Monitor 24 Instance
  5. Update the Altitude value to 45100 as shown below:
  6. Right-click the "Process Monitor 24 Instance" key and click Permissions...
  7. Click the Advanced button.
  8. Click the Disable inheritance button.
  9. Select "Convert inherited permissions into explicit permissions on this object".
  10. Click the Add... button on the Permissions tab.
  11. Click the "Select Principal" link.
  12. Type "everyone" (without quotes) into the "Enter the object name to select" text box.
  13. Click Check Names, then OK.
  14. Set the Permission Entry Type to "Deny".
  15. Click the "Show advanced permissions" link.
  16. Ensure that the only permissions selected are "Set Value" and "Delete" (uncheck "Read Control" if checked).
  17. Click OK, OK, Yes, OK.

The Special Permissions Entry for Everyone should look like the following at the end of this process: