How to Configure Sysinternals' Process Monitor to Record Symantec's Auto-Protect Events

Article:TECH98079  |  Created: 2009-01-14  |  Updated: 2015-02-16  |  Article URL
Article Type
Technical Solution


A reported performance issue is apparently resolved when SAV or SEP's auto-protect is disabled. A process monitor (procmon) log is gathered as part of the troubleshooting, but AP events are not captured. Can this be overcome?


Because both Process Monitor and AutoProtect are minifilters, the configuration for AP will need to change slightly to ensure that procmon sees all of AutoProtect’s input/output events. By default AutoProtect is loaded below ProcMon so it doesn't see the AP scan I/O.


If disabling Auto-Protect resolves a performance-based issue, then gather a procmon log when AP is disabled and a second log when AP is enabled.

Please note that very large amounts of data will be collected: if possible capture only the events that occur during the slow-down. Also note that Tamper Protection may need to be disabled to make registry changes.

To load AutoProtect above ProcMon:

1. In regedit, change the following value Key :

Value name: Altitude
New value : 385300

2. Reboot. You can verify that the SRTSP altitude has been changed by running the FLTMC command--
> fltmc

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
FSLX                                            429998.99   <Legacy>
symsnap                                         429998.99   <Legacy>
Pgpwdefs                                2       370400         1
BHDrvx64                                2       365100         1
eeCtrl                                  2       329010         1
SRTSP                                   3       385300         1
vfsmfd                                  4       263410         1
SymEFA                                  3       260600         1
pgpfs                                           149998.99   <Legacy>
luafv                                   1       135000         0
FileInfo                                3        45000         0

3. Start ProcMon
4. Reproduce the issue
5. Save the Log as Native Process Monitor Format (PML)

To restore AutoProtect to its normal altitude:

1. In regedit, change the following value Key :

Value name: Altitude
New value : 329000

2. Reboot

When examining the procmon logs, what to look for?

AutoProtect queries file information frequently to get file attributes, size, times. It is usually a very quick operation. Look for queries that take a long time to complete- that will mean a thread is stuck/occupied/tied up.

To see these long events in the procmon log do the following:
Turn on Filter->Enable Advanced Output
Show column Duration
Add Filter: Duration more than 10.0

Note: It may also be necessary to gather logs from remote computers with which the computer being analyzed was communicating, if the cause of delay is suspected to be network-related.

Sysinternals / Microsoft page on Process Monitor:

Sysinternals / Microsoft page on Process Explorer:

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices