How to use Process Monitor for standard log and for bootlog

Article:TECH92496  |  Created: 2009-01-20  |  Updated: 2013-04-23  |  Article URL http://www.symantec.com/docs/TECH92496
Article Type
Technical Solution

Product(s)

Environment

Issue



Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Symptoms
How to configure PROCMON and how to create a bootlog


 


Solution



Prepare “Process Monitor” for logging
1. Login using an account with administrative privilege (for example “Administrator”)
2. Create a folder in system drive (default C:\ ) named “monitor”
3. Download the software using the following link:

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx


4. Extract the archive to the folder C:\monitor created in step 2.


5. Double Click on the file “Procmon.exe”




6. Click on the “Capture” icon to stop the capture process.


 

7. The Capture icon will now have a red X over it, meaning that the program is no longer capturing events.


8. Now go in to the “File” menu ( first from left in the program window)

       

9. Select “Backing Files” (Shortcut CTRL-B) scrolling down on the menu and click with left mouse button, or if you use a keyboard scroll down with arrows and press enter

 

 

 


10. This will open the “Process Monitor Backing Files” window.

 


11. Now click on the radial button near “Use file named:” to enable the named field
12. Insert in the name field the desired destination folder (here we will use the folder "C:\monitor" that we initially extracted the ProcessMonitor.zip to) and target file name e.g. “C:\monitor\tempfile.pml”


13. Now click on the OK button to confirm


     


14. This will bring up the confirmation dialog box shown below:



15. Select “OK” button to continue.


     


16. As soon as “OK” is selected you will be returned to the main window.
17. Close the program.
18. Double Click on the file “Procmon.exe”.
19. Click on the “Capture” icon to stop the capture process.


20. The Capture icon will now have a red X over it, meaning that the program is no longer capturing events.


21. Now go in to the “File” menu ( first from left in the program window)


22. Select “Backing Files” (Shortcut CTRL-B) scrolling down on the menu and click with left mouse button, or if you use a keyboard scroll down with arrows and press enter


23. Now appears a new windows with title “Process Monitor Backing Files”

24. Verify that ProcMon is using the previously configured named file.
 


 

 

 

 

 

 

 


25. Select the “Cancel” button to close the window.


     


26. Now the program is ready for analysis.


Use “Process Monitor” for “Boot Logging”

1. Login using an account with administrative privilege (Administrator is recommended)

2. Navigate to the folder that ProcessMonitor.zip was extracted to (e.g. C:\monitor)
 

3. Double Click on the file “Procmon.exe”

 

 

 


4. Click on the “Capture” icon to stop the capture process.

     


5. The Capture icon will now have a red X over it, meaning that the program is no longer capturing events.

 


6. Now go in to the “Options” menu and select “Enable Boot Logging”

 

 

 


7. The following dialog box will open.

 


8. “Process monitor” is configured to log activity during the next boot. Select the “OK” button to close the program.




9. Reboot the system
10. Login with the previously chosen account (e.g. Administrator)
11. Allow the system to fully load windows and any associated startup programs. ( Generally this will take from 5-15 minutes)
12. Navigate to the folder that contains Procmon.exe (e.g. C:\monitor)
13. Double Click on the file “Procmon.exe”


14. This will open the following dialog box.

 


15. Click “Yes” to save the collected data.

16. This will open the Save As dialog box.


17. Insert in the “File name” field the desired name for the output (e.g. bootlog001.pml) and select the "Save" button.
 




 

18. As soon as you select the "Save" button a progress bar appears reporting boot-time event conversion.
 


 


19. Following the boot-time event data conversion, the process will apply the Event Filter.
 




 

20. Following the Event Filter application, ProcMon will return to the default console. Note that the capture icon shows as disabled.
 




 

 

21. The previously defined folder will now contain the following file “C:\monitor\bootlog001.pml”

 


 




References
Site: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Download: http://download.sysinternals.com/Files/ProcessMonitor.zip


Technical Information
By default, Procmon will not collect certain Auto-Protect events. For instructions on how to do so, please see Document ID 2009121411372448, "How to Configure Sysinternals' Process Monitor to Record Symantec's Auto-Protect Events" (link - Database 'Enterprise Security', View 'Support\All Documents (CLF)', Document 'How to Configure Sysinternals' Process Monitor to Record Symantec's Auto-Protect Events' )


 



Legacy ID



2009022010271948


Article URL http://www.symantec.com/docs/TECH92496


Terms of use for this information are found in Legal Notices