How to find processes the sensor hooked into during a procmon capture

How to find processes the sensor hooked into during a procmon capture

search cancel

How to find processes the sensor hooked into during a procmon capture

book

Article ID: 291393

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Determine which processes the Carbon Black Cloud sensor hooked into during a Process Monitor capture

Environment

Carbon Black Cloud Sensor: 3.x and Higher
Microsoft Windows: All Supported Versions
Process Monitor

Resolution

Open the procmon file in Process Monitor
Select the filter icon
Add Include options
- "Operation is Load Image"
- "Path ends with ctiuser.dll"
Click OK to apply changes

Additional Information

This will only show processes that the sensor hooked into at the time of the procmon capture. If a process was running before the procmon started, this will not be captured.
A boot-logger procmon can gather events hooked into during service startup

Feedback

thumb_up Yes

thumb_down No