Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

How to Collect Procmon Logs with Boot-logging Enabled

How to Collect Procmon Logs with Boot-logging Enabled

Environment

  • Microsoft Windows: All Supported Versions
  • Carbon Black: All Supported Products

Objective

To collect a Process Monitor (ProcMon) capture during boot time.

Resolution

  1. Download Process Monitor from Microsoft and extract the files to the desktop of the endpoint.
  2. Launch Procmon and choose Options > Enable Boot Logging > Generate thread profiling events > Every 100 milliseconds.
  3. Click OK and reboot the endpoint.
  4. After the reboot, open ProcessMonitor from the desktop.
  5. When prompted, click Yes to save the boot-time activity created by Process Monitor as a PML on the desktop (Ex: Laptop1-bootlog.pml)
  6. Close Process Monitor, and re-open the PML created to verify it loads correctly without errors.
  7. Compress the resulting PML file as a zip, and upload it to the Vault.
  8. Once the upload completes, comment on the case in Support that the logs are available for review.

Additional Notes

  • In some instances multiple PML files are generated (Ex: Laptop1-Bootlog-1.PML, Laptop1-Bootlog-2.PML). In these instances all PML files should be zipped together and provided.
  • EDR Sensors version 7.2.0 and higher will require Tamper Detection to be disabled via Policy before capture, to allow Procmon to access cb.exe for stack information.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-27-2017
Views:
21038
Contributors