how to enable procmon boot logging for every boot?

windows procmon
7,019

Solution 1

I'm not aware of a regular way to permanently enable boot logging, but it seems that boot logging is controlled by two registry values in the Procmon driver configuration. Perhaps (re-)creating these values (e.g. with a startup script) will do what you want:

if not exist %SystemRoot%\System32\Drivers\PROCMON23.sys copy PROCMON23.sys %SystemRoot%\System32\Drivers\
reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v ImagePath /t REG_SZ /d "System32\Drivers\PROCMON23.sys" /f
reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v Start /t REG_DWORD /d 0x0 /f
reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v Type /t REG_DWORD /d 0x1 /f

However, before trying something like that, I'd first try "regular" monitoring (without boot logging). Start Process Monitor once and configure it to monitor only access to the hosts file (Filter → Filter...). Export that configuration to the file C:\hosts.pmc (File → Export Configuration...). Then run something like this in a startup script:

procmon /LoadConfig C:\hosts.pmc /BackingFile C:\hosts_%DATE:/=-%.pml /Quiet > C:\hosts.log 2>&1

That will start Process Monitor with the exported configuration (/LoadConfig C:\hosts.pmc), start monitoring without prompting for confirmation of filter settings (/Quiet), and log the recorded events to a log file with the current date (/BackingFile C:\hosts_%DATE:/=-%.pml). The expression %DATE:/=-% produces the current date with forward slashes / replaced by hyphens -. If your date format is not MM/DD/YYYY you'll have to modify this expression accordingly.

Startup scripts can be configured in various ways (Run keys in the registry, scheduled tasks, group policies, ...). See the answers to this question on StackOverflow for an overview.

Solution 2

Adam Collett/adjman666 wrote a vbscript to do it and posted it to the sysinternals forums.. For this to work \server\procmon share will need to have sharing and file permissions set so that "Domain Computers" can read from that location, otherwise the script will error with an "Access Denied" message.

'Script to enable boot logging in Process Monitor at every shutdown to ensure we capture all activity, every time.

'Declare the objects used in the script
Dim objFSO, objShell, objRegistry

'Declare the variables used in the script
Dim strProcmon20KeyPath, strInstancesKeyPath, strPMIKeyPath, strStartValueName, strGroupValueName, strTypeValueName, strImagePathValueName
Dim strDefInstanceValueName, strAltitudeValueName, strFlagsValueName, strComputer

'Declare the constants used in the script
Const HKEY_LOCAL_MACHINE = &H80000002

'Create our FileSystem, Shell and Registry objects
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objShell=WScript.CreateObject("WScript.Shell")
strComputer = "."
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

'Set all variables ready for use

strProcmon20KeyPath = "SYSTEM\CurrentControlSet\Services\PROCMON20\"
strInstancesKeyPath = "SYSTEM\CurrentControlSet\Services\PROCMON20\Instances\"
strPMIKeyPath = "SYSTEM\CurrentControlSet\Services\PROCMON20\Instances\Process Monitor Instance\"

strStartValueName = "Start"
strGroupValueName = "Group"
strTypeValueName = "Type"
strImagePathValueName = "ImagePath"
strDefInstanceValueName = "DefaultInstance"
strAltitudeValueName = "Altitude"
strFlagsValueName = "Flags"

'Check for the Process Monitor Executable, copy it in if not already on the system.
If not objFSO.FileExists("C:\Windows\System32\procmon.exe") Then
  objFSO.CopyFile "\\server\procmon\procmon.exe", "C:\Windows\System32\", true
End If

'Now import the registry settings, one at a time
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strStartValueName, "0", "REG_DWORD"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strGroupValueName, "FSFilter Activity Monitor", "REG_SZ"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strTypeValueName, "1", "REG_DWORD"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strImagePathValueName, "System32\Drivers\PROCMON20.SYS", "REG_EXPAND_SZ"

objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strInstancesKeyPath & strDefInstanceValueName, "Process Monitor Instance", "REG_SZ"

objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strPMIKeyPath & strAltitudeValueName, "385200", "REG_SZ"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strPMIKeyPath & strFlagsValueName, "0", "REG_DWORD"

'Now copy over the PROCMON20.SYS file to the C:\Windows\System32\Drivers folder

If not objFSO.FileExists("C:\Windows\System32\Drivers\PROCMON20.SYS") Then
  objFSO.CopyFile "\\server\procmon\PROCMON20.SYS", "C:\Windows\System32\Drivers\", true
End If

'End of Script
Share:
7,019

Related videos on Youtube

SparedWhisle
Author by

SparedWhisle

Updated on September 18, 2022

Comments

  • SparedWhisle
    SparedWhisle almost 2 years

    I know process monitor has the "enable boot logging" function.

    but that only takes effect for next boot.

    is there a way to enable boot logging for every boot in the future?

    • Ansgar Wiechers
      Ansgar Wiechers over 11 years
      Boot logging is intended for troubleshooting and should not be enabled by default. Even more since the logging will continue until the program is started the next time (i.e. you would be logging everything from boot to shutdown). What problem are you trying to solve by this?
    • SparedWhisle
      SparedWhisle over 11 years
      every several days I find the entry containing "www.google.com" gone from my hosts file, which is very annoying. I need to monitor the file for several days(probably a week) to find out which program did it.
    • Moab
      Moab over 11 years
      @DavidDai why not set "read only" attribute on the hosts file?
    • SparedWhisle
      SparedWhisle over 11 years
      of course I can do that. but I just want to find out the black hand behind this. :(
    • Justin Dearing
      Justin Dearing over 9 years
      @ansgarwiechers if you configured ProcMon to drop filtered events, wouldn't boot time logging be relatively non invasive?
    • Ansgar Wiechers
      Ansgar Wiechers over 9 years
      @JustinDearing It would still need to hook into the boot sequence, and would still consume CPU cycles for matching and selecting events. And writing events to a log. Boot logging is a kind of debug logging. Don't enable it unless you have something you need to debug.
  • SparedWhisle
    SparedWhisle over 11 years
    other than the registry keys, boot logging requires a file PROCMON23.sys in C:\Windows\System32\Drivers\. if I enable boot loging by using the menu, it does that. but I cannot move the file from Drivers to anywhere else.
  • Ansgar Wiechers
    Ansgar Wiechers over 11 years
    With admin privileges you should be able to copy the file. Perhaps you could copy the backup copy back to the drivers directory if it doesn't exist, and then set the registry keys. But again, I recommend against trying this before you have tried everything else.
  • SparedWhisle
    SparedWhisle over 11 years
    I couldn't back up PROCMON23.sys even with administrator.I left procmon running during last night and I have found the processes that ruin my hosts file. they are "system" and "svchost.exe", that is another question. Thanks anyway.
  • Admin
    Admin over 11 years
    Make sure to copy PROCMON23.SYS into system32/drivers before manually adding the reg values. When using procmon GUI option it copy it into this directory and apply the reg values. when un checking this option it deletes it. If you want to do it manually, copy the sys file to this directory and apply the reg values your self. works ok.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Process Monitor (procmon) does not show some UDP / TCP network activity events, shown in Network Monitor
Is there a version of Process Monitor that runs on Windows 2000?
How to print and connect to printer using flutter desktop via usb?
Why does Windows magically "couple" some files like this?
Flutter_CLI: Because every version of flutterfire_cli depends on xml >=5.3.0 which requires SDK version >=2.14.0 <3.0.0, flutterfire_cli is forbidden
Can windows viruses affect my encrypted linux partition on the same disk?
How can I reduce the noise my CPU makes, like fast mouse movement does?
Flutter - Why is there a windows folder in my app?
No implementation found for method getAll on channel dev.fluttercommunity.plus/package_info
Flutter Visual Studio - develop for Windows