Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

All Products: How To Collect a ProcMon to Troubleshoot Performance

All Products: How To Collect a ProcMon to Troubleshoot Performance

Environment

  • All Products
  • Microsoft Windows: All Supported Versions

Objective

How to collect a Proccess Monitor (ProcMon) capture to troubleshoot performance issues.

Resolution

  1. Download Process Monitor from Microsoft and extract the files to the desktop of the endpoint.
  2. Temporarily disable Tamper Protection (EDR Sensors / App Control Agents) in order to properly access stack information.
  3. Launch ProcMon and configure the capture as follows:
    • Press CTRL+E to stop the current capture.
    • Press CTRL+X to clear the current results.
    • Filter > Filter > Click Reset and uncheck Process Name > is System > OK
    • Options > Profiling Events > Generate thread profiling events > Every 100 milliseconds > OK
  4. Start the capture (CTRL+E) when ready to reproduce
  5. After reproduction, stop the capture (Ctrl+E).
  6. Use File > Save and use the following options:
    • Events to save: All events
    • Format: Native Process Monitor Format (PML)
  7. Compress the resulting PML file as a zip, and upload it to the Vault.

Additional Notes

  • Do not put any additional filters in place.
  • Specific diagnostics will need to be captured along with the ProcMon capture (Related Content).
  • Boot/Log in performance issues will require a ProcMon with Boot Logging enabled (Related Content).

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎08-31-2020
Views:
5886