Collect a Procmon Capture
search cancel

Collect a Procmon Capture

book

Article ID: 285280

calendar_today

Updated On:

Products

Carbon Black App Control Carbon Black App Control (formerly Cb Protection) Carbon Black Cloud Audit and Remediation Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops) Carbon Black Cloud Container Carbon Black Cloud Endpoint Standard Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter) Carbon Black Cloud Managed Detection (formerly Cb Threatsight) Carbon Black Cloud Managed Detection and Response Carbon Black Cloud Managed Threat Hunting Carbon Black Cloud Prevention Carbon Black Cloud Workload Carbon Black EDR Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud) VMware Carbon Black

Issue/Introduction

To collect a Proccess Monitor (Procmon) capture.

Environment

  • All Products
  • Microsoft Windows: All Supported Versions

Resolution

Standard Procmon:

  1. Download and extract Process Monitor from Microsoft.
  2. Temporarily disable Tamper Protection on any applicable applications in order to properly access stack information.
  3. Launch Procmon and configure the capture as follows:
    • Press CTRL+E to stop the current capture.
    • Press CTRL+X to clear the current results.
    • Filter > Filter > Click Reset and uncheck Process Name > is System > OK
    • Options > Profiling Events > Generate thread profiling events > Every 100 milliseconds > OK
  4. Start the capture (CTRL+E) when ready to reproduce
  5. After reproduction, stop the capture (Ctrl+E).
  6. Use File > Save and use the following options:
    • Events to save: All events
    • Format: Native Process Monitor Format (PML)
  7. Compress the PML and upload to Support.

Boot Procmon:

  1. Download and extract Process Monitor from Microsoft.
  2. Launch Procmon and configure the capture as follows:
    • Press CTRL+E to stop the current capture.
    • Press CTRL+X to clear the current results.
    • Filter > Filter > Click Reset and uncheck Process Name > is System > OK
    • Options > Profiling Events > Generate thread profiling events > Every 100 milliseconds > OK
    • Options > Enable Boot Logging
  3. Click OK and reboot the endpoint.
  4. After the reboot, open Process Monitor once more.
  5. When prompted, click Yes to save the boot-time activity as a PML (Ex: Laptop1-bootlog.pml)
  6. Close Process Monitor, and open the PML created to verify it loads without errors.
  7. Compress the PML and upload to Support.

Configure Procmon for Low Altitude:

A preconfigured Low Altitude Procmon (Version 23) is attached to the article. This version can be used to prevent having to reboot. To use the latest version of Procmon, follow these steps:
  1. Download and extract Process Monitor from Microsoft.
  2. Launch and close Procmon to create the registry entries needed.
  3. Launch an administrative command prompt and issue the following command: 
    fltmc filters
  4. Screenshot the results, and note the lowest Altitude shown. Example: 40500
  5. Click Start > Run > regedit > Ok
  6. Expand: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMONXX\Instances\Process Monitor XX Instance\
  7. Locate the String Name: Altitude and change the value lower than your lowest filter driver. Example: 40000
  8. Right click the Registry Key: Process Monitor XX Instance and choose Permissions
  9. Click Add > Everyone > Check Names > OK.
  10. Click Advanced > Permissions tab > Everyone > Edit.
  11. Show advanced permissions and set the following options:
    • Type: Deny
    • Set Value: Check
    • Delete: Check
    • Read Control: Unchecked
  12. Click OK.
  13. In the Advanced Security Settings window, verify Everyone is selected and click Disable inheritance.
  14. When prompted, choose Convert inherited permissions into explicit permissions on this object.
  15. Click OK.
  16. When prompted by Windows Security, click Yes to continue.
  17. Click OK and exit the Registry Editor.
  18. Restart the endpoint to apply the changes, and then in an elevated command prompt confirm the changes with the following command: 
    fltmc instances
  19. Follow the relevant steps to capture the desired Procmon (Standard/Boot).

Attachments

ProcmonLowAlt.zip get_app
Powered by Wolken Software