- Hardening AppLocker - Thu, Jun 25 2020
- AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
- Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020
Procmon has a lot of command line parameters, but it doesn't have a parameter to operate against another computer.
So we can't point Procmon at another machine. However, that doesn't mean we can't run it on the remote machine using PsExec.exe. PsExec.exe is another Sysinternals tool that you can download from the same locations as Procmon. It does require you to have access to the computer's ADMIN$-share for it to install itself on the remote computer. You could use PowerShell remoting to achieve the same result as PsExec. This is just an example; any tool that can launch processes on a remote machine will do.
The first thing you need to do is to launch a command prompt and make sure you can run PsExec.exe.
You also need to have the Process Monitor on the remote machine. If you don’t, you can add the -C parameter to make PsExec copy it first.
Let's assume you have the Process Monitor on the remote machine for now and that the other machine has a folder called C:\Temp. We first need to start the trace on the remote machine. You can do this by running the following command:
Psexec.exe -sd \\computername procmon -accepteula -backingfile c:\temp\proc.pml -quiet
Now it's time to tell the customer to reproduce the problem. After the problem is reproduced, you need to stop the Procmon trace on the remote machine. You need to do this the right way or the trace file will become corrupted. You can do this by running the following command:
Psexec.exe -sd \\computername procmon -accepteula -terminate -quiet
Now you need to copy the trace file to your computer. You can do this by, for example, using the following command:
Xcopy \\computername\c$\temp\proc.pml c:\temp\
Now you can open the trace file on your own computer by using Procmon. You can do this from the GUI or by using the following command:
Procmon.exe /openlog c:\temp\proc.pml
You can use the Tools > System Details to verify that you are looking at a trace from a remote machine.
The Tools > Process Tree will come in handy if you want an easy way to see which processes were running when you made the trace. It also enables easy filtering of the problematic app.
You can easily use a script that you just run when you need a remote trace. Here is a quick example that would just require you to type Remote_Procmon.cmd COMPUTER1 if you are tracing a computer called COMPUTER1.
Psexec.exe -sd \\%1 procmon -accepteula -backingfile c:\temp\proc.pml -quiet
Psexec.exe -sd \\%1 procmon -accepteula -terminate -quiet
Xcopy \\%1\c$\temp\proc.pml c:\temp\
Procmon.exe /openlog c:\temp\proc.pm