- Hardening AppLocker - Thu, Jun 25 2020
- AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
- Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020
Procmon has a lot of command line parameters, but it doesn't have a parameter to operate against another computer.
Process monitor command line parameters
So we can't point Procmon at another machine. However, that doesn't mean we can't run it on the remote machine using PsExec.exe. PsExec.exe is another Sysinternals tool that you can download from the same locations as Procmon. It does require you to have access to the computer's ADMIN$-share for it to install itself on the remote computer. You could use PowerShell remoting to achieve the same result as PsExec. This is just an example; any tool that can launch processes on a remote machine will do.
The first thing you need to do is to launch a command prompt and make sure you can run PsExec.exe.
PsExec can be used to launch processes on remote Windows machines
You also need to have the Process Monitor on the remote machine. If you don’t, you can add the -C parameter to make PsExec copy it first.
Let's assume you have the Process Monitor on the remote machine for now and that the other machine has a folder called C:\Temp. We first need to start the trace on the remote machine. You can do this by running the following command:
Psexec.exe -sd \\computername procmon -accepteula -backingfile c:\temp\proc.pml -quiet
Starting a Procmon trace on a remote machine
Now it's time to tell the customer to reproduce the problem. After the problem is reproduced, you need to stop the Procmon trace on the remote machine. You need to do this the right way or the trace file will become corrupted. You can do this by running the following command:
Psexec.exe -sd \\computername procmon -accepteula -terminate -quiet
Gracefully stopping a Procmon trace on a remote machine
Now you need to copy the trace file to your computer. You can do this by, for example, using the following command:
Xcopy \\computername\c$\temp\proc.pml c:\temp\
Using Xcopy to copy over a trace file
Now you can open the trace file on your own computer by using Procmon. You can do this from the GUI or by using the following command:
Procmon.exe /openlog c:\temp\proc.pml
Opening a Procmon trace file previously captured from the remote machine
You can use the Tools > System Details to verify that you are looking at a trace from a remote machine.
System Details shows basic info of the trace
The Tools > Process Tree will come in handy if you want an easy way to see which processes were running when you made the trace. It also enables easy filtering of the problematic app.
Process Tree (Ctrl+T) is great for seeing what was running and for filtering
You can easily use a script that you just run when you need a remote trace. Here is a quick example that would just require you to type Remote_Procmon.cmd COMPUTER1 if you are tracing a computer called COMPUTER1.
Remote_Procmon.cmd
Subscribe to 4sysops newsletter!
@echo off Psexec.exe -sd \\%1 procmon -accepteula -backingfile c:\temp\proc.pml -quiet Pause Psexec.exe -sd \\%1 procmon -accepteula -terminate -quiet Xcopy \\%1\c$\temp\proc.pml c:\temp\ Del \\%1\c$\temp\proc.pml Procmon.exe /openlog c:\temp\proc.pm
Great as always.
Xcopy \\computername\c$\temp\proc.pml c:\temp\
computername -> %1
Thanks! Fixed it!
Sorry for the dumb question. Is there a native powershell way to do this, without using psexec? I'm trying with Invoke-Command and Start-Process or with "&" but nothing happens even if I don't get an error.
This doesn't work when the target is a Windows container. The Procmon process seems to freeze after putting 4 MB in the log file, and /terminate does not work (so it has to be killed).
Any suggestions are welcome!