Environment

• All Products
• Microsoft Windows: All Supported Versions

Objective

Resolution

1. Download ProcmonLowAlt.zip which is attached to the bottom of this article
2. Unzip ProcmonLowAlt.zip and double click on ProcmonLowAlt.exe 
3. Select "Yes" on the User Account Control message "Do you want to allow this app from an unknown publisher to make changes to your device?" Publisher: Unknown, File Origin: Hard drive on this computer
4. Reproduce the Issue
5. Please zip the capture and upload to CBVault

1. Download Procmon https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
2. Run Procmon as an Administrator and close the application to create the registry entries needed
3. Open Regedit.exe and find "HKLM\System\CurrentControlSet\Services\Procmon23\Instances\Process Monitor 23 Instance"
4. Adjust "Altitude" to "20000"
5. To avoid resetting the change right click on the "Process Monitor 23 Instance" key and select Permissions...
6. Select "Advanced" 
7. Under the Permissions tab, select "Add"
   • Open "Select Principle" and type "everyone". Hit "Check Names" and then OK
   • Type: Deny
   • Applies to: This key and subkeys
   • Show Advanced Permissions
   • Select only "Set Value" and "Delete"
8. Click Apply for both "Advanced Security Settings for Process Monitor 23 Instance" and "Permissions for Process Monitor 23 Instance" to take affect
9. Reboot the machine to take affect
10. When running a procmon capture, confirm the altitude did not revert by running fltmc in cmd ran as administrator. It will show PROCMON23 at the bottom of the list with an altitude of 20000
11. Reproduce the Issue
12. Please zip the capture and upload to CBVault

Additional Notes

• The 'ProcmonLowAlt.zip' file attached to the bottom of this article does not require configuration steps, nor reboot. Reboot is required if Procmon is downloaded directly from Microsoft; however, the Procmon included in 'ProcmonLowAlt.zip' file has not been signed 
• Procmon23 is the version installed in this example, the value will vary depending on the Procmon version installed
• The Altitude value allows the Sensor/Agent information to be captured, as default Sensor/Agent values are too low for capturing.
• Permissions change has to be made as Procmon will automatically revert the change
• Reboot is required as the Procmon filter driver is hooked into the kernel driver and unable to unload unless rebooted.
• For EDR Sensors 7.2.0 and higher, Tamper Protection will need to be disabled

Related Content

• Process Monitor - Sysinternals
• CB Response: How to Enable Verbose Logging Locally on Windows Sensor
• CB Response: How to Collect Windows Sensor Diagnostic Logs (6.2.2+) 
• CB Response: How to Collect Windows Sensor Diagnostic Logs (6.2.1 and below)
• CB Response: How to Run Procmon at Low Altitude for Sensor Capture
• Carbon Black Cloud: How To Collect Sensor Logs Locally (Windows)