Automating Sysinternals Procmon

Many a times we need to automate the Sysinternals Procmon for capturing the process events. In the world of auditing or malware analysis we need to do this quite often. After few tries, I got a correct sequence of commands for automating Procmon. Worst part is, if you try to stop/kill the process abruptly then your capture file will be corrupted. We need to execute the following sequence of commands for capturing the events without any capture file corruption.

C:\SysinternalsSuite\procmon.exe /Quiet /backingfile c:\tmp\procmonoutput.pml
C:\SysinternalsSuite\procmon.exe /WaitForIdle
Run your program here.
C:\SysinternalsSuite\procmon.exe /Terminate
C:\SysinternalsSuite\procmon.exe /PagingFile /NoConnect /Minimized /Quiet
Sleep for few seconds here.
C:\SysinternalsSuite\procmon.exe /Terminate

Note: Many a times procmon will not even exit. Procmon uses “Window Message” for communicating the “Terminate” events.

Advertisements
This entry was posted in Windows and tagged , , . Bookmark the permalink.

3 Responses to Automating Sysinternals Procmon

  1. drakefin says:

    Thank You for that great entry, really helped me out.
    Let me add a little addition that I needed to do when I wanted it to be run in a Batch file:
    On my virtual XP Client I needed to add a

    ‘start “” “C:\SysinternalsSuite\procmon.exe” /backingfile C:\tmp\Logfile.pml’
    before I was able to process any further in the Batch-Skript. Otherwise the ProcMon will just stay open and the Batchfile won’t process any further.

  2. kalqlate says:

    Sorry to ask a procmon support question here (I will do so also on the SysInternal forum), but I am trying to use procmon to help me track down a potential registry error. My problem is that, even with no apps loaded after boot, eventually, my system will hang with the drive light stuck on. I set procmon to log to a file, but when the error occurs, the log file is not closed. When I subsequently reboot and attempt to load the log file back into procmon for analysis, it informs that the file had not been properly closed and, therefore, corrupt. Procmon then, of course, refuses to open the file. Do you know of any setting to get procmon to close the log file after each logged entry (even if it slows down the system tremendously), or do you know of any other registry event logger that has the ability to do this? Thank you very much for your time and for any advice you can give.

  3. anon says:

    Wow. I don’t know how you figured that out, but it works for me without a “corrupted file” error. Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s