Standard Procmon:

1. Download and extract Process Monitor from Microsoft.
2. Temporarily disable Tamper Protection on any applicable applications in order to properly access stack information.
   • App Control: Disable/Enable Tamper Protection
   • EDR: Disable Tamper Protection On The Windows Sensor
3. Launch Procmon and configure the capture as follows:
   • Press CTRL+E to stop the current capture.
   • Press CTRL+X to clear the current results.
   • Filter > Filter > Click Reset and uncheck Process Name > is System > OK
   • Options > Profiling Events > Generate thread profiling events > Every 100 milliseconds > OK
4. Start the capture (CTRL+E) when ready to reproduce
5. After reproduction, stop the capture (Ctrl+E).
6. Use File > Save and use the following options:
   • Events to save: All events
   • Format: Native Process Monitor Format (PML)
7. Compress the PML and upload to Support.

Boot Procmon:

1. Download and extract Process Monitor from Microsoft.
2. Launch Procmon and configure the capture as follows:
   • Press CTRL+E to stop the current capture.
   • Press CTRL+X to clear the current results.
   • Filter > Filter > Click Reset and uncheck Process Name > is System > OK
   • Options > Profiling Events > Generate thread profiling events > Every 100 milliseconds > OK
   • Options > Enable Boot Logging
3. Click OK and reboot the endpoint.
4. After the reboot, open Process Monitor once more.
5. When prompted, click Yes to save the boot-time activity as a PML (Ex: Laptop1-bootlog.pml)
6. Close Process Monitor, and open the PML created to verify it loads without errors.
7. Compress the PML and upload to Support.

Circular Logging:

1. Download and extract Process Monitor from Microsoft.
2. Launch Procmon and stop the current capture.
3. Choose: Options > History Depth...
   1. Enable Limit to and specify a size between 200 MB and 500 MB (ex: 300 MB)
   2. Click OK
4. Choose: File > Backing Files...
   1. Enable Use file named and specify a path (ex: C:\Temp\LogFile.pml)
   2. Click OK
5. Start the capture and reproduce the issue.
6. Once the capture is complete, compress all files in the path chosen (LogFile-1.pml, LogFile-2.pml, etc....) and provide to Support.

Configure Procmon for Low Altitude:

1. Download and extract Process Monitor from Microsoft.
2. Launch and close Procmon to create the registry entries needed.
3. Launch an administrative command prompt and issue the following command:

   fltmc filters

4. Screenshot the results, and note the lowest Altitude shown. Example: 40500
5. Click Start > Run > regedit > Ok
6. Expand: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMONXX\Instances\Process Monitor XX Instance\
7. Locate the String Name: Altitude and change the value lower than your lowest filter driver. Example: 40000
8. Right click the Registry Key: Process Monitor XX Instance and choose Permissions
   
9. Click Add > Everyone > Check Names > OK.
10. Click Advanced > Permissions tab > Everyone > Edit.
11. Show advanced permissions and set the following options:
    • Type: Deny
    • Set Value: Check
    • Delete: Check
    • Read Control: Unchecked
      
12. Click OK.
13. In the Advanced Security Settings window, verify Everyone is selected and click Disable inheritance.
14. When prompted, choose Convert inherited permissions into explicit permissions on this object.
15. Click OK.
16. When prompted by Windows Security, click Yes to continue.
17. Click OK and exit the Registry Editor.
18. Restart the endpoint to apply the changes, and then in an elevated command prompt confirm the changes with the following command:

    fltmc instances

19. Follow the relevant steps to capture the desired Procmon (Standard/Boot).