none
SOLVED -> what does procmon load or do while capturing process RRS feed

  • Question

  • Hi,

    we run a special batch (word) with something like this:

    normal User (not Admin) User1 starts following batch program  (second user is also no admin)
    runas /user:user2@domain /savecred "cmd.exe /k \special Programm starts word and end word".bat\

    1. If i start the batch without procmoc.exe - Time is most about 25 seconds. Even rarely very short at 5 seconds.
    2. If i start the batch with a procmon.exe and capturing process (with Filter winword.exe) every batch is about 5 seconds.
    3. If i start the batch with procmon.exe and without capturing process every batch process is like 1. (25 sec.)

    Could you tell me what does procmon.exe do while capturing. (are special dll loaded or is there a docu about )

    Thanks for a tip

    celtar


    • Edited by celtar1 Tuesday, July 30, 2019 9:20 AM
    Monday, July 29, 2019 6:20 PM

All replies

  • Really really strange.. because capturing a trace with Procmon add for sure an overhead to all the process running in the system..

    Procmon when start load a device driver in the kernel and that driver write in the paging file (unless you configured a capture file) and it log every access to the file system, to the registry and every events related to application start and dlls load.. it also capture network events via kernel tracing..

    So, I found almost impossible what are you seeing.. it should be exactly the opposite.. when you capture a trace it should take 25 seconds and without capturing it should take 5 seconds..

    Please review what have you seen because it should be the opposite.

    If you are looking for documentation, starts here:
    https://www.amazon.it/dp/B01MAU3YND/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1

    HTH
    -mario 

    • Marked as answer by celtar1 Monday, July 29, 2019 7:38 PM
    • Unmarked as answer by celtar1 Monday, July 29, 2019 7:38 PM
    Monday, July 29, 2019 6:52 PM
  • Hi,

    thanks for your reply. I testet it again and again. With procmon capture on the batch with normal User "winword.exe" it is immediatly (5 sec) finished. Without procmon capture it tooks 25 sec.

    So it is for me impossible to look why the process tooks so long. I work for a week on that problem now and i have no idea on that strange thing.

    If i start the runas command as Administrator the batch tooks every time 2 sec. I think maybe it's a rights issue. But for security Issues it is not possible to do this batch as admin.

    Any Idea?

    Thanks again

    celtar




    • Edited by celtar1 Monday, July 29, 2019 7:52 PM
    Monday, July 29, 2019 7:47 PM
  • Can you please share the batch and the procmon log (without filtering)?

    I cannot think to anything right now that could improve the performance of a script while Procmon is running..

    Thanks
    -mario

     
    Monday, July 29, 2019 9:04 PM
  • Hi,

    link deleted

    log is ";" seperated (Excel 4)

    OS: Win2012R2

    Link deleted

    Thanks again

    celtar



    • Edited by celtar1 Tuesday, July 30, 2019 9:40 AM
    Tuesday, July 30, 2019 5:55 AM
  • Hi Celtar, 

    sorry but I'm lost with the Procmon log in csv format.. can you please take another log, without filtering, and save it in native .PML mode??

    Thanks!
    -mario

    Tuesday, July 30, 2019 7:47 AM
  • Hi,

    thanks again for your help. We decided to use another Tool (another batch for us - Procmon is great. This works perfect. If you are interested i will make a new procmon log with format pml but for us the problem is now solved. We dont want you to do yourself any unnecessary work.

    Thanks again for your assistence and :)

    celtar



    • Edited by celtar1 Tuesday, July 30, 2019 9:41 AM
    Tuesday, July 30, 2019 9:24 AM
  • ok, thanks!

    -mario

    Tuesday, July 30, 2019 10:44 AM