P
PradeepSharma
Capture Circular ProcMon Logs for an intermittent issue
We’ll delve into how to capture Process Monitor logs with circular overwrite enabled. As per the official documentation, Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such as session IDs and usernames, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
When running ProcMon over extended periods where log file size is a concern, configuring Procmon with circular overwrite helps by limiting the log file size while retaining only the most recent activity. This method is particularly useful when tracking intermittent issues over time without generating enormous log files.
Let’s walk through how to configure and capturing logs with circular overwrite in ProcMon.
Download and Install ProcMon
There’s no installation process; it’s a standalone executable that you can run directly.
Configure ProcMon Filters (you can skip this if not sure of the process name or other details)
By default, ProcMon logs all system activity, which can generate an overwhelming amount of data. Therefore, configuring filters to focus only on relevant events should be good to avoid noise.
Example: To monitor only a specific application like notepad.exe, create a filter for Process Name equals notepad.exe.
Enable Circular Overwrite (important)
To ensure that your ProcMon session captures only the most recent logs without growing indefinitely:
Set Maximum Log File Size
Circular logging allows you to set a maximum log file size. To do this:
Set Maximum Log File Size
Circular logging allows you to set a maximum log file size. To do this:
Start the Capture
Once everything is set:
Export Logs for Further Analysis
After capturing your data, you may want to export the logs for in-depth analysis or sharing with other team members:
Using ProcMon with circular overwrite is especially helpful when dealing with intermittent issues that can't be easily reproduced. However, it's crucial to stop the data collection as soon as the issue occurs. Otherwise, if the log file size is too small, you risk overwriting the relevant data before capturing the problem.
Continue reading...
We’ll delve into how to capture Process Monitor logs with circular overwrite enabled. As per the official documentation, Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such as session IDs and usernames, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
When running ProcMon over extended periods where log file size is a concern, configuring Procmon with circular overwrite helps by limiting the log file size while retaining only the most recent activity. This method is particularly useful when tracking intermittent issues over time without generating enormous log files.
Let’s walk through how to configure and capturing logs with circular overwrite in ProcMon.
Download and Install ProcMon
- Visit the Microsoft Sysinternals website to download Process Monitor.
- Extract the downloaded file and run Procmon.exe as an administrator.
There’s no installation process; it’s a standalone executable that you can run directly.
Configure ProcMon Filters (you can skip this if not sure of the process name or other details)
By default, ProcMon logs all system activity, which can generate an overwhelming amount of data. Therefore, configuring filters to focus only on relevant events should be good to avoid noise.
- Click on the Filter button (or press CTRL + L).
- In the Filter dialog box, add rules to include or exclude processes, file paths, or registry keys you are interested in.
Example: To monitor only a specific application like notepad.exe, create a filter for Process Name equals notepad.exe.
- Apply the filters and click OK.
Enable Circular Overwrite (important)
To ensure that your ProcMon session captures only the most recent logs without growing indefinitely:
- Go to File > Backing Files.
- In the Backing Files dialog box, select Use file named and specify the location and name of the log file (e.g., C:\Logs\procmon.pml).
Set Maximum Log File Size
Circular logging allows you to set a maximum log file size. To do this:
- Under Options > History Depth, you can define how many MB of log data ProcMon should retain before starting to overwrite.
- Example: Set this to 500 MB, so ProcMon will only keep the last 500 MB worth of logs.
- This ensures your log file remains manageable in size and avoids overloading disk space.
Set Maximum Log File Size
Circular logging allows you to set a maximum log file size. To do this:
- Under Options > History Depth, you can define how many MB of log data ProcMon should retain before starting to overwrite.
- Example: Set this to 500 MB, so ProcMon will only keep the last 500 MB worth of logs.
- This ensures your log file remains manageable in size and avoids overloading disk space.
Start the Capture
Once everything is set:
- Click the Capture button (or press CTRL + E) to start capturing logs.
- As you capture, ProcMon will monitor and log real-time system activity.
- If you need to pause logging at any point, you can click Capture again to temporarily stop.
Export Logs for Further Analysis
After capturing your data, you may want to export the logs for in-depth analysis or sharing with other team members:
- Go to File > Save.
- Choose your desired output format (e.g., the native PML format, CSV, or XML).
- Select All Events or Filtered Events to save only the information relevant to your investigation.(All Events are recommended if not much aware of the details of the events and process)
- Save the file to your preferred location.
Using ProcMon with circular overwrite is especially helpful when dealing with intermittent issues that can't be easily reproduced. However, it's crucial to stop the data collection as soon as the issue occurs. Otherwise, if the log file size is too small, you risk overwriting the relevant data before capturing the problem.
Continue reading...