| Description | This article describes how to perform a Windows Procmon capture. |
| Scope | FortiEDR. |
| Solution |
Procmon is part of Windows Sysinternals and a tool which we can take advantage of to investigate what is happening, deep on Windows operating system. This is a useful tool for troubleshooting application conflicts as well as performance degradation.
Procmon can be downloaded here: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
How to Run a Procmon Capture.
1) Open ProcMon.exe.
2) Choose Options -> Profiling Events… and ensure Generated thread profiling events is selected for Every second.
3) Select File -> Capture Events.
4) Allow Procmon to run for fifteen to twenty minutes while the Collector is enabled and while the problem is reproduced, whether it be an application conflict or performance related.
5) Select File -> Save... and save the file with a .PML file extension and upload it to a ticket with FortiEDR TAC.
Boot Logging.
If the issue being experienced happens during or very shortly after bootup, boot logging will need to be first configured in Procmon. Fortinet TAC will be able to advise if this should be enabled. The default setting is disabled for reference.
To enable boot logging:
1) Open Procmon.exe and choose Options -> Enable Boot Logging
2) A small window will appear asking about the thread profiling events. Please ensure Generate thread profiling events is enabled with Every second selected:
3) Restart the computer and allow the issue to reproduce itself. Ideally wait for ten to fifteen minutes before performing any activities.
4) Open Procmon.exe. A popup Window will appear stating 'A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data now'" -> Choose Yes and save the file to a local folder in the.PML extension type.
5) Upload this .PML file to Fortinet TAC for further analysis. |
