Products
Applications
Support
Company
How To Buy
Skip to main content (Press Enter).
Sign in
Skip auxiliary navigation (Press Enter).
Register
Skip main navigation (Press Enter).
Toggle navigation
Search Options
Home
My Communities
Communities
All Communities
Application Networking and Security
Enterprise Software
Mainframe Software
Software Defined Edge
Symantec Enterprise
Tanzu
VMware Cloud Foundation
Blogs
All Blogs
Enterprise Software
Mainframe Software
Symantec Enterprise
Events
All Events
Enterprise Software
Mainframe Software
Symantec Enterprise
VMware
Water Cooler
Betas
Flings
Education
Groups
Enterprise Software
Mainframe Software
Symantec Enterprise
Members
Knowledge Base
Private Community
Private Community
View Only
Community Home
Threads
0
Library
0
Blogs
7.3K
Events
0
Members
1.2K
All Products: How to Collect a low Altitude Procmon Capture
By
anadrowski
posted
Jun 15, 2016 04:50 AM
6
Recommend
Environment
All Products
Microsoft Windows: All Supported Versions
Objective
To collect a low altitude Process Monitor (ProcMon) capture.
Resolution
Option 1
Download ProcmonLowAlt.zip which is attached to the bottom of this article
Unzip ProcmonLowAlt.zip and double click on ProcmonLowAlt.exe
Select "Yes" on the User Account Control message "Do you want to allow this app from an unknown publisher to make changes to your device?" Publisher: Unknown, File Origin: Hard drive on this computer
Reproduce the Issue.
Use File > Save and use the following options:
Events to save:
All events
Format:
Native Process Monitor Format (PML)
Please zip the capture and upload to
CBVault
Option 2
Download
Process Monitor
from Microsoft and extract the files to the desktop of the endpoint.
Run Procmon as an Administrator and close the application to create the registry entries needed
Open Regedit.exe and find "HKLM\System\CurrentControlSet\Services\Procmon23\Instances\Process Monitor 23 Instance"
Adjust "Altitude" to "20000"
To avoid resetting the change right click on the "Process Monitor 23 Instance" key and select Permissions...
Select "Advanced"
Under the Permissions tab, select "Add"
Open "Select Principle" and type "everyone". Hit "Check Names" and then OK
Type: Deny
Applies to: This key and subkeys
Show Advanced Permissions
Select only "Set Value" and "Delete"
Click Apply for both "Advanced Security Settings for Process Monitor 23 Instance" and "Permissions for Process Monitor 23 Instance" to take affect
Reboot the machine to take affect
When running a procmon capture, confirm the altitude did not revert by running fltmc in cmd ran as administrator. It will show PROCMON23 at the bottom of the list with an altitude of 20000
Reproduce the Issue
Use File > Save and use the following options:
Events to save:
All events
Format:
Native Process Monitor Format (PML)
Please zip the capture and upload to
CBVault
Additional Notes
The 'ProcmonLowAlt.zip' file attached to the bottom of this article does not require configuration steps, nor reboot. Reboot is required if Procmon is downloaded directly from Microsoft; however, the Procmon included in 'ProcmonLowAlt.zip' file has not been signed
Procmon23 is the version installed in this example, the value will vary depending on the Procmon version installed
The Altitude value allows the Sensor/Agent information to be captured, as default Sensor/Agent values are too low for capturing.
Permissions change has to be made as Procmon will automatically revert the change
Reboot is required as the Procmon filter driver is hooked into the kernel driver and unable to unload unless rebooted.
For EDR Sensors 7.2.0 and higher, Tamper Protection will need to be disabled
Related Content
All Products: How To Collect a ProcMon to Troubleshoot Performance
App Control: Anti-Virus Exclusions for Agent (Windows)
App Control: How to Disable/Enable Tamper Protection
App Control: How To Collect Agent Performance Logs on Windows (Locally)
EDR: Which Sensor directories need exclusion from 3rd party security products?
EDR: How to Get Started with Tamper Protection?
EDR: Enable verbose logging locally on Windows sensor
How to Collect Procmon Logs with Boot-logging Enabled
How to Collect a WPR (Windows Performance Recorder) Trace
Attachment(s):
7383_ProcmonLowAlt.zip
#EnterpriseEDR
#EDR
#CarbonBlackCloud
#AppControl
#EndpointStandard
0 comments
0 views
Permalink
Copyright 2019. All rights reserved.
Powered by Higher Logic