Environment
- Microsoft Windows: All Supported Versions
- Carbon Black: All Supported Products
Objective
To collect a Process Monitor (ProcMon) capture during boot time.
Resolution
- Download Process Monitor from Microsoft and extract the files to the desktop of the endpoint.
- Launch Procmon and choose Options > Enable Boot Logging > Generate thread profiling events > Every 100 milliseconds.
- Click OK and reboot the endpoint.
- After the reboot, open ProcessMonitor from the desktop.
- When prompted, click Yes to save the boot-time activity created by Process Monitor as a PML on the desktop (Ex: Laptop1-bootlog.pml)
- Close Process Monitor, and re-open the PML created to verify it loads correctly without errors.
- Compress the resulting PML file as a zip, and upload it to the Vault.
- Once the upload completes, comment on the case in Support that the logs are available for review.
Additional Notes
- In some instances multiple PML files are generated (Ex: Laptop1-Bootlog-1.PML, Laptop1-Bootlog-2.PML). In these instances all PML files should be zipped together and provided.
- EDR Sensors version 7.2.0 and higher will require Tamper Detection to be disabled via Policy before capture, to allow Procmon to access cb.exe for stack information.
Related Content