Collect a Procmon Capture
search cancel

Collect a Procmon Capture

book

Article ID: 285280

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection) Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

To collect a Proccess Monitor (Procmon) capture.

Environment

  • Microsoft Windows: All Supported Versions
  • App Control: All Supported Versions
  • EDR: All Supported Versions

Resolution

Standard Procmon:

  1. Download and extract Process Monitor from Microsoft.
  2. Temporarily disable Tamper Protection on any applicable applications in order to properly access stack information.
  3. Launch Procmon and configure the capture as follows:
    • Press CTRL+E to stop the current capture.
    • Press CTRL+X to clear the current results.
    • Filter > Filter > Click Reset and uncheck Process Name > is System > OK
    • Options > Profiling Events > Generate thread profiling events > Every 100 milliseconds > OK
  4. Start the capture (CTRL+E) when ready to reproduce
  5. After reproduction, stop the capture (Ctrl+E).
  6. Use File > Save and use the following options:
    • Events to save: All events
    • Format: Native Process Monitor Format (PML)
  7. Compress the PML and upload to Support.

Boot Procmon:

  1. Download and extract Process Monitor from Microsoft.
  2. Launch Procmon and configure the capture as follows:
    • Press CTRL+E to stop the current capture.
    • Press CTRL+X to clear the current results.
    • Filter > Filter > Click Reset and uncheck Process Name > is System > OK
    • Options > Profiling Events > Generate thread profiling events > Every 100 milliseconds > OK
    • Options > Enable Boot Logging
  3. Click OK and reboot the endpoint.
  4. After the reboot, open Process Monitor once more.
  5. When prompted, click Yes to save the boot-time activity as a PML (Ex: Laptop1-bootlog.pml)
  6. Close Process Monitor, and open the PML created to verify it loads without errors.
  7. Compress the PML and upload to Support.

Configure Procmon for Low Altitude:

  1. Download and extract Process Monitor from Microsoft.
  2. Launch and close Procmon to create the registry entries needed.
  3. Launch an administrative command prompt and issue the following command:
    fltmc filters
  4. Screenshot the results, and note the lowest Altitude shown. Example: 40500
  5. Click Start > Run > regedit > Ok
  6. Expand: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMONXX\Instances\Process Monitor XX Instance\
  7. Locate the String Name: Altitude and change the value lower than your lowest filter driver. Example: 40000
  8. Right click the Registry Key: Process Monitor XX Instance and choose Permissions
  9. Click Add > Everyone > Check Names > OK.
  10. Click Advanced > Permissions tab > Everyone > Edit.
  11. Show advanced permissions and set the following options:
    • Type: Deny
    • Set Value: Check
    • Delete: Check
    • Read Control: Unchecked
  12. Click OK.
  13. In the Advanced Security Settings window, verify Everyone is selected and click Disable inheritance.
  14. When prompted, choose Convert inherited permissions into explicit permissions on this object.
  15. Click OK.
  16. When prompted by Windows Security, click Yes to continue.
  17. Click OK and exit the Registry Editor.
  18. Restart the endpoint to apply the changes, and then in an elevated command prompt confirm the changes with the following command:
    fltmc instances
  19. Follow the relevant steps to capture the desired Procmon (Standard/Boot).