Scenario:
In order to use Procmon to log operations on boot up, you have to go to Options and then select Enable Boot Logging. Once you have done that, you can reboot your computer, logon to your computer, launch Procmon again, and then you can save the boot log. There may be an occasion when you want to enable it on multiple machines using a script. This is not something that you can do given the current command line arguments.The File
However, you can copy a file to the System32\drivers folder and make some registry changes to set up Procmon for boot logging via a script. First you need to download Procmon and launch it. Once you have done that, go to Options and then Enable Boot Logging.This will place the PROCMON23.SYS file in C:\Windows\System32\Drivers folder. When you disable Boot Logging, this file goes away. So with Boot Logging enabled, go to this folder and copy the PROCMON23.SYS file so that you have it. You will need to copy this file to the Drivers folder listed above in order to setup Procmon Boot Logging.
NOTE: I believe that the number "23" in the name of the .sys file reflects the tool version. In older versions I noticed that the name of the file (and registry keys) were PROCMON20.
The Registry Keys
You can copy the script below and create a batch file to set all the relevant registry keys.This will set the keys you need to set.::Create PROCMON23 Key and valuesreg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23 /freg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23 /v Group /t REG_SZ /d "FSFilter Activity Monitor" /freg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23 /v ImagePath /t REG_EXPAND_SZ /d "System32\Drivers\PROCMON23.SYS" /freg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23 /v Start /t REG_DWORD /d 0 /freg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23 /v SupportedFeatures /t REG_DWORD /d 3 /freg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23 /v Type /t REG_DWORD /d 1 /f::Create Instances Key and valuesreg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Instances /freg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Instances /v DefaultInstance /t REG_SZ /d "Process Monitor 23 Instance" /f::Create Process Monitor 23 Instance and valuesreg add "HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Instances\Process Monitor 23 Instance" /freg add "HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Instances\Process Monitor 23 Instance" /v Altitude /t REG_SZ /d 385200 /freg add "HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Instances\Process Monitor 23 Instance" /v Flags /t REG_DWORD /d 0 /f::Create Parameters Key and valuereg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Parameters /freg add HKLM\SYSTEM\CurrentControlSet\Services\PROCMON23\Parameters /v ThreadProfiling /t REG_DWORD /d 10000000 /f
IMPORTANT: After reboot, you need to open Procmon again and stop the trace. If you don't, it will keep recording and will quickly fill up your hard drive.
No comments:
Post a Comment