ProcessMonitor from Microsoft is hugely popular and widely used to monitor events such as registry or file related updates.
If Process monitor is used to track an event (e.g., a registry change) system wide, in an unattended scenario, some customization will be needed since ProcessMonitor creates a large amount of log files in a short span of time i.e., around 5gb in 30 minutes.
The plan is to check Process monitor log files every 30 minutes for the event, take a snapshot and clear the logs. Using a task scheduler task and UIA this can be accomplished as discussed below.
Background
It was noticed that on a particular windows 10 machine, the windows scaling factor changed from 100% to 150% randomly over a period of 1 week. The plan was to track changes made to the registry entry hkcu\control panel\desktop\logpixels.
Implementation
The solution should be generic so that it can be deployed seamlessly on different PCs.
When done manually, following steps are executed.
Steps
- First time, folders for the pm logs and captured events are created. This is done by importing the configurations from ProcMonConfiguration.pmc.
- After that, when a specific user logs in, the unprocessed logs are scanned for the event and cleared
- Every 30 mins logs are scanned for the event, logs are saved if found and then logs are cleared
Step 1
Init.cmd will do the initial setup.
Add a filter for registry entry as shown below:
Change file backing as shown below. A dedicated folder in required.
Step 2
startpm task is executed on logon of a specific user. This tasks runs savepmlog.cmd.
Step 3
savepmlog task is executed every 30 mins after logon of a specific user. This tasks runs savepmlog.cmd.
Init.cmd
This script will do initial setup as discussed above.
@echo on
rd /s /q c:\temp\procmon
md c:\temp\procmon\capture
md c:\temp\procmon\pmlogs
schtasks /create /f /sc onlogon /tn startpm /it /ru rvvya /tr "%~dp0\savepmlog.cmd"
schtasks /create /f /sc minute /mo 30 /tn savepmlog /it /ru rvvya /tr "%~dp0\savepmlog.cmd"
start "" "%~dp0\..\bin\Procmon64.exe" /accepteula /terminate
start "" "%~dp0\..\bin\Procmon64.exe" /quiet /loadconfig "%~dp0\ProcmonConfiguration.pmc"
savepm.cmd
This script will check logs for the event and saves it along with a screenshot if found and then clears all logs.
@echo on
setlocal enabledelayedexpansion
del C:\temp\procmon\capture\snapshot.bmp>nul
del C:\temp\procmon\capture\logfile.csv>nul
tasklist /fi "imagename eq Procmon64.exe" | find /i "Procmon64.exe">nul
if !errorlevel! equ 0 start "" /wait "%~dp0\..\bin\Procmon64.exe" /Terminate
start "" "%~dp0\..\bin\Procmon64.exe" /quiet /openlog C:\temp\procmon\pmlogs\uiatest.PML
echo saving....
start "" /min /wait "%~dp0\..\bin\savelog.exe"
call :rename_logfile
goto :eof
:rename_logfile
set logfile=logfile_%date%_%time%
set logfile=%logfile::=_%
set logfile=%logfile:/=_%
find /c /v "" C:\temp\procmon\capture\logfile.CSV | find /i ".CSV: 1">nul
if !errorlevel! equ 0 (
del C:\temp\procmon\capture\snapshot.bmp>nul
del C:\temp\procmon\capture\logfile.csv>nul
echo %date% %time% not found >> C:\temp\procmon\capture\results.log
) else (
move C:\temp\procmon\capture\snapshot.bmp "C:\temp\procmon\capture\%logfile%".bmp
move C:\temp\procmon\capture\logfile.csv "C:\temp\procmon\capture\%logfile%".csv
echo %date% %time% found >> C:\temp\procmon\capture\results.log
)
exit /b
Savelog.exe
This is driven by UIA. This executable is launched by savepmlog.cmd. It takes a snapshot, saves pmlog files and then clears them.
Deployment
The solution is deployed as shown below:
\bin
ui automation executables and the libraries and processminitor executable.
\scripts
contains task scheduler scripts described below and setup script
Demo
The following movie shows actual operation
1. Regedit is started to add an event
2. savepmlog task is triggered to check and record.
Output
The output files are available in C:\temp\procmon\capture folder.
snapshot (logfile_11-06-2022_15_26_36.34.bmp)
saved log file (logfile_11-06-2022_15_26_36.34.csv)
"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"15:26:06.7849475","regedit.exe","10344","RegQueryValue","HKCU\Control Panel\Desktop\LogPixels","SUCCESS","Type: REG_DWORD, Length: 4, Data: 150"
results.log
11-06-2022 14:32:30.01 not found
11-06-2022 15:00:22.52 not found
11-06-2022 15:26:36.36 found
Source and Binaries can be found here.