CB Response: How to Run Procmon at Low Altitude for Sensor Capture
book
Article ID: 285669
calendar_today
Updated On:
Products
Issue/Introduction
How to Run Procmon at Low Altitude for Sensor Capture
Environment
- Carbon Black Response Sensors: All Versions
- Microsoft SysInternals Procmon
Resolution
- Download Procmon https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
- Run Procmon as an Administrator and close the application to create the registry entries needed
- Open Regedit.exe and find "HKLM\System\CurrentControlSet\Services\Procmon23\Instances\Process Monitor 23 Instance"
- Adjust "Altitude" to "45100"
- To avoid resetting the change right click on the "Process Monitor 23 Instance" key and select Permissions...
- Select Advanced Permissions
- Under the Permissions tab, select "Add"
- Open "Select Principle" and type "everyone". Hit "Check Names" and then OK
- Type: Deny
- Applies to: This key and subkeys
- Show Advanced Permissions
- Select only "Set Value" and "Delete"
- Click Apply for both "Advanced Security Settings for Process Monitor 23 Instance" and "Permissions for Process Monitor 23 Instance" to take affect
- Reboot the machine to take affect
- When running a capture, you can confirm the altitude did not revert by running this Command Line as Admin
fltmc
- Please zip the capture and upload to CBVault
Additional Information
- Procmon23 is the version installed in this example. You may see a different value in your environment depending on the Procmon version installed
- The Altitude allows the sensor information to be captured as it is too low for the default setting
- Permissions change has to be made as Procmon will automatically revert the change
- Reboot is required as the Procmon filter driver is hooked into the kernel driver and unable to unload unless rebooted.
Feedback
thumb_up
Yes
thumb_down
No