CB Response: How to Run Procmon at Low Altitude for Sensor Capture
search cancel

CB Response: How to Run Procmon at Low Altitude for Sensor Capture

book

Article ID: 285669

calendar_today

Updated On:

Products

Issue/Introduction

How to Run Procmon at Low Altitude for Sensor Capture

Environment

  • Carbon Black Response Sensors: All Versions
  • Microsoft SysInternals Procmon

Resolution

  1. Download Procmon https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
  2. Run Procmon as an Administrator and close the application to create the registry entries needed
  3. Open Regedit.exe and find "HKLM\System\CurrentControlSet\Services\Procmon23\Instances\Process Monitor 23 Instance"
  4. Adjust "Altitude" to "45100"
  5. To avoid resetting the change right click on the "Process Monitor 23 Instance" key and select Permissions...
  6. Select Advanced Permissions
  7. Under the Permissions tab, select "Add"
    • Open "Select Principle" and type "everyone". Hit "Check Names" and then OK
    • Type: Deny
    • Applies to: This key and subkeys
    • Show Advanced Permissions
    • Select only "Set Value" and "Delete"
  8. Click Apply for both "Advanced Security Settings for Process Monitor 23 Instance" and "Permissions for Process Monitor 23 Instance" to take affect
  9. Reboot the machine to take affect
  10. When running a capture, you can confirm the altitude did not revert by running this Command Line as Admin 
    fltmc
  11. Please zip the capture and upload to CBVault

Additional Information

  • Procmon23 is the version installed in this example. You may see a different value in your environment depending on the Procmon version installed
  • The Altitude allows the sensor information to be captured as it is too low for the default setting
  • Permissions change has to be made as Procmon will automatically revert the change
  • Reboot is required as the Procmon filter driver is hooked into the kernel driver and unable to unload unless rebooted.
Powered by Wolken Software