Procmon is a useful tool if you want to trace file system, registry or network activity on a high level. Now assume you want to run a procmon trace but you are not sure when the specific event you want to trace happens and how long it takes to finish. In many cases you cannot be logged in for hours or days on a Windows server so it would be better to execute procmon in the background by using the Windows Task Scheduler.
The first thing we need to consider is setting our filter in procmon. As I am looking for file system activity in my C:\TestFolder directory, I have set up the following filter:
Furthermore, we will need to enable “Drop Filtered Events” in the filter menu to cause less load on our system:
When we are done with the filter settings we can save the configuration to a .pmc file by using the File menu and clicking the Export Configuration menu item.
We can create a small PowerShell script that will manage the start and stop of procmon with some parameters. The PowerShell script below defines the duration of the trace, where to find the procmon executable, the config file for the procmon filter settings which we saved earlier and the location where the trace file should be created.
The PowerShell script
### Define variables ###
$traceDurationMin = 120
$procmonExec = "C:\SysinternalsSuite\procmon.exe"
$porcmonConfigFile = "c:\temp\MyProcmonConfiguration2.pmc"
$traceDir = "c:\temp"
#start procmon with params
$tsStart = Get-Date -UFormat "%Y_%m_%d_%H-%M-%S"
$traceFile = "$traceDir\procmon_trace_$($tsStart).pml"
& $procMonExec /Backingfile $traceFile /LoadConfig $porcmonConfigFile /Quiet /accepteula
[int]$dly = $traceDurationMin*60
$tsEnd = Get-Date -UFormat "%Y_%m_%d_%H-%M-%S"
Start-Process $procMonExec -ArgumentList " /terminate /accepteula" -Wait
$traceFileArchive = $traceFile -replace $tsStart, "$tsStart-$tsEnd"
Move-Item $traceFile $traceFileArchive
I used the /terminate switch of procmon to gracefully stop the trace. Before I rename the file I wait for procmon to stop, so I used the Start-Process PowerShell command with the -Wait switch. When the trace is finished I am renaming the file to include the starting and ending timestamp in the filename.
Scheduling and executing the script
The script can be scheduled with the Windows Task Scheduler. We need to make sure to use a User that has Admin privileges on the server. In case you need to set up the scheduling on more servers you can also create the Scheduled Task by using PowerShell as described in my post PowerShell and Scheduling.
After executing the task you will find a .pml trace file in the trace directory specified in the PowerShell script. The trace file can be opened with procmon.
Issues with the trace
When opening the trace file with procmon you might see the following error message:
The file C:\temp\tracefilename.pml is corrupt and cannot be opened.
This does not always mean that your trace file is corrupt. It can also mean that your trace file does not contain any trace events. You can verify this by checking the size of your trace file. Usually when the size of the trace file is below 2 MB it means that there were no events captured.