Thursday, April 16, 2015

How to Enable Procmon Boot Logging with Script


Scenario:

In order to use Procmon to log operations on boot up, you have to go to Options and then select Enable Boot Logging. Once you have done that, you can reboot your computer, logon to your computer, launch Procmon again, and then you can save the boot log.  There may be an occasion when you want to enable it on multiple machines using a script.  This is not something that you can do given the current command line arguments.


The File

However, you can copy a file to the System32\drivers folder and make some registry changes to set up Procmon for boot logging via a script.  First you need to download Procmon and launch it.  Once you have done that, go to Options and then Enable Boot Logging.

This will place the PROCMON23.SYS file in C:\Windows\System32\Drivers folder.  When you disable Boot Logging, this file goes away.  So with Boot Logging enabled, go to this folder and copy the PROCMON23.SYS file so that you have it.  You will need to copy this file to the Drivers folder listed above in order to setup Procmon Boot Logging.

NOTE: I believe that the number "23" in the name of the .sys file reflects the tool version.  In older versions I noticed that the name of the file (and registry keys) were PROCMON20.

The Registry Keys

You can copy the script below and create a batch file to set all the relevant registry keys.

::Create PROCMON23 Key and values
reg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23 /v Group /t REG_SZ /d "FSFilter Activity Monitor" /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23 /v ImagePath /t REG_EXPAND_SZ /d "System32\Drivers\PROCMON23.SYS" /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23 /v Start /t REG_DWORD /d 0 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23 /v SupportedFeatures /t REG_DWORD /d 3 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23 /v Type /t REG_DWORD /d 1 /f

::Create Instances Key and values
reg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Instances /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Instances /v DefaultInstance /t REG_SZ /d "Process Monitor 23 Instance" /f

::Create Process Monitor 23 Instance and values
reg add "HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Instances\Process Monitor 23 Instance" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Instances\Process Monitor 23 Instance" /v Altitude /t REG_SZ /d 385200 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Instances\Process Monitor 23 Instance" /v Flags /t REG_DWORD /d 0 /f

::Create Parameters Key and value
reg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Parameters /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Parameters /v ThreadProfiling /t REG_DWORD /d 10000000 /f
This will set the keys you need to set.

IMPORTANT: After reboot, you need to open Procmon again and stop the trace.  If you don't, it will keep recording and will quickly fill up your hard drive.

No comments:

Post a Comment