When I need to troubleshoot a problem in Windows, the first things I ask my customer to provide are a Process Monitor trace and a network trace. Process Monitor is the second most downloaded tool from the Sysinternals toolkit. You can download it as part of the Sysinternals Suite. Sometimes you don't have access to the computer to run the tool interactively, or you don't want the end user seeing Procmon running on the computer. In the next post, I will show how you can acquire a Process Monitor trace from a remote computer.
Avatar
Latest posts by Sami Laiho (see all)

Procmon has a lot of command line parameters, but it doesn't have a parameter to operate against another computer.

Process monitor command line parameters

Process monitor command line parameters

So we can't point Procmon at another machine. However, that doesn't mean we can't run it on the remote machine using PsExec.exe. PsExec.exe is another Sysinternals tool that you can download from the same locations as Procmon. It does require you to have access to the computer's ADMIN$-share for it to install itself on the remote computer. You could use PowerShell remoting to achieve the same result as PsExec. This is just an example; any tool that can launch processes on a remote machine will do.

The first thing you need to do is to launch a command prompt and make sure you can run PsExec.exe.

PsExec can be used to launch processes on remote Windows machines

PsExec can be used to launch processes on remote Windows machines

You also need to have the Process Monitor on the remote machine. If you don’t, you can add the -C parameter to make PsExec copy it first.

Let's assume you have the Process Monitor on the remote machine for now and that the other machine has a folder called C:\Temp. We first need to start the trace on the remote machine. You can do this by running the following command:

Psexec.exe -sd \\computername procmon -accepteula -backingfile c:\temp\proc.pml -quiet
Starting a Procmon trace on a remote machine

Starting a Procmon trace on a remote machine

Now it's time to tell the customer to reproduce the problem. After the problem is reproduced, you need to stop the Procmon trace on the remote machine. You need to do this the right way or the trace file will become corrupted. You can do this by running the following command:

Psexec.exe -sd \\computername procmon -accepteula -terminate -quiet
Gracefully stopping a Procmon trace on a remote machine

Gracefully stopping a Procmon trace on a remote machine

Now you need to copy the trace file to your computer. You can do this by, for example, using the following command:

Xcopy \\computername\c$\temp\proc.pml c:\temp\
Using Xcopy to copy over a trace file

Using Xcopy to copy over a trace file

Now you can open the trace file on your own computer by using Procmon. You can do this from the GUI or by using the following command:

Procmon.exe /openlog c:\temp\proc.pml
Opening a Procmon trace file previously captured from the remote machine

Opening a Procmon trace file previously captured from the remote machine

You can use the Tools > System Details to verify that you are looking at a trace from a remote machine.

System Details shows basic info of the trace

System Details shows basic info of the trace

The Tools > Process Tree will come in handy if you want an easy way to see which processes were running when you made the trace. It also enables easy filtering of the problematic app.

Process Tree (Ctrl+T) is great for seeing what was running and for filtering

Process Tree (Ctrl+T) is great for seeing what was running and for filtering

You can easily use a script that you just run when you need a remote trace. Here is a quick example that would just require you to type Remote_Procmon.cmd COMPUTER1 if you are tracing a computer called COMPUTER1.

Remote_Procmon.cmd

Subscribe to 4sysops newsletter!

@echo off
Psexec.exe -sd \\%1 procmon -accepteula -backingfile c:\temp\proc.pml -quiet
Pause
Psexec.exe -sd \\%1 procmon -accepteula -terminate -quiet
Xcopy \\%1\c$\temp\proc.pml c:\temp\
Del \\%1\c$\temp\proc.pml
Procmon.exe /openlog c:\temp\proc.pm
avataravataravataravatar
5 Comments
  1. Avatar
    Frank Ketelsen 4 years ago

    Great as always.yessmiley

  2. Avatar
    Sergey 4 years ago

    Xcopy \\computername\c$\temp\proc.pml c:\temp\

    computername -> %1

  3. Avatar
    Martin 4 years ago

    Sorry for the dumb question. Is there a native powershell way to do this, without using psexec? I'm trying with Invoke-Command and Start-Process or with "&" but nothing happens even if I don't get an error.

  4. Avatar
    Robert Schmidt 3 years ago

    This doesn't work when the target is a Windows container.  The Procmon process seems to freeze after putting 4 MB in the log file, and /terminate does not work (so it has to be killed).

    Any suggestions are welcome!

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account