Command line Process Monitor log collection - ashish-gehani/SPADE GitHub Wiki

This page describes how to use Process Monitor from the command line. It can be used in a headless Windows 10 VirtualBox virtual machine (VM).

If needed, configure a Windows VM

  • Create and start a Windows 10 VM using VirtualBox.
  • Open PowerShell with Administrator privileges and enable `OpenSSH server'. To do so, follow the steps here.
  • Download and extract Process Monitor.
  • Stop the Windows VirtualBox VM.
  • In VirtualBox, update the Windows VM networking settings to enable port forwarding from host 0.0.0.0:2222 to guest <guest_ip>:22.
    • guest_ip can be found with the Windows command ipconfig.
  • Start the VirtualBox Windows VM with the `Headless Start’ option.
    • This can be done at the command line with VBoxManage.
  • On the host machine, use an ssh client to connect to the Windows VM:
    • ssh <windows_user_name>@localhost -p 2222

Run Process Monitor at the command line

  • In a Windows shell, navigate to the directory where Process Monitor was extracted.
  • Download the SPADE Process Monitor configuration from here.
  • Start Process Monitor to capture events:
    .\Procmon64.exe /BackingFile .\audit.pml /NoFilter /AcceptEula /LoadConfig .\spade.reporter.ProcMon.pmc /Quiet
    • /BackingFile: Only PML format is supported for the log to be saved. It will be converted to XML later.
    • /NoFilter: Do not use any saved/default filters.
    • /AcceptEula: Prevent a pop-up from appearing if Process Monitor has never been used before.
    • /LoadConfig: Path to the configuration file that specifies the items required.
    • /Quiet: Suppress the filter confirmation pop-up.
  • Perform the activity that is to be recorded.
  • Stop Process Monitor: .\Procmon64.exe /Terminate.
    • If Process Monitor is otherwise terminated (via the taskkill command, for example), the Process Monitor output audit.pml file may be corrupted.
    • To ensure that Process Monitor has stopped, the PowerShell command Get-Process Procmon64 can be used.

Convert PML to XML

  • The output file audit.pml can be converted to XML using the command:
    • .\Procmon64.exe /OpenLog .\audit.pml /LoadConfig .\spade.reporter.ProcMon.pmc /SaveAs .\audit.xml
    • This instance of Process Monitor does not need to be terminated explicitly. It will end when the conversion completes.

This material is based upon work supported by the National Science Foundation under Grants OCI-0722068, IIS-1116414, and ACI-1547467. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

⚠️ **GitHub.com Fallback** ⚠️