how to enable procmon boot logging for every boot?

windows procmon

I know process monitor has the "enable boot logging" function.

but that only takes effect for next boot.

is there a way to enable boot logging for every boot in the future?


I'm not aware of a regular way to permanently enable boot logging, but it seems that boot logging is controlled by two registry values in the Procmon driver configuration. Perhaps (re-)creating these values (e.g. with a startup script) will do what you want:

if not exist %SystemRoot%\System32\Drivers\PROCMON23.sys copy PROCMON23.sys %SystemRoot%\System32\Drivers\
reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v ImagePath /t REG_SZ /d "System32\Drivers\PROCMON23.sys" /f
reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v Start /t REG_DWORD /d 0x0 /f
reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v Type /t REG_DWORD /d 0x1 /f

However, before trying something like that, I'd first try "regular" monitoring (without boot logging). Start Process Monitor once and configure it to monitor only access to the hosts file (Filter → Filter...). Export that configuration to the file C:\hosts.pmc (File → Export Configuration...). Then run something like this in a startup script:

procmon /LoadConfig C:\hosts.pmc /BackingFile C:\hosts_%DATE:/=-%.pml /Quiet > C:\hosts.log 2>&1

That will start Process Monitor with the exported configuration (/LoadConfig C:\hosts.pmc), start monitoring without prompting for confirmation of filter settings (/Quiet), and log the recorded events to a log file with the current date (/BackingFile C:\hosts_%DATE:/=-%.pml). The expression %DATE:/=-% produces the current date with forward slashes / replaced by hyphens -. If your date format is not MM/DD/YYYY you'll have to modify this expression accordingly.

Startup scripts can be configured in various ways (Run keys in the registry, scheduled tasks, group policies, ...). See the answers to this question on StackOverflow for an overview.


Adam Collett/adjman666 wrote a vbscript to do it and posted it to the sysinternals forums.. For this to work \server\procmon share will need to have sharing and file permissions set so that "Domain Computers" can read from that location, otherwise the script will error with an "Access Denied" message.

'Script to enable boot logging in Process Monitor at every shutdown to ensure we capture all activity, every time.

'Declare the objects used in the script
Dim objFSO, objShell, objRegistry

'Declare the variables used in the script
Dim strProcmon20KeyPath, strInstancesKeyPath, strPMIKeyPath, strStartValueName, strGroupValueName, strTypeValueName, strImagePathValueName
Dim strDefInstanceValueName, strAltitudeValueName, strFlagsValueName, strComputer

'Declare the constants used in the script
Const HKEY_LOCAL_MACHINE = &H80000002

'Create our FileSystem, Shell and Registry objects
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objShell=WScript.CreateObject("WScript.Shell")
strComputer = "."
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

'Set all variables ready for use

strProcmon20KeyPath = "SYSTEM\CurrentControlSet\Services\PROCMON20\"
strInstancesKeyPath = "SYSTEM\CurrentControlSet\Services\PROCMON20\Instances\"
strPMIKeyPath = "SYSTEM\CurrentControlSet\Services\PROCMON20\Instances\Process Monitor Instance\"

strStartValueName = "Start"
strGroupValueName = "Group"
strTypeValueName = "Type"
strImagePathValueName = "ImagePath"
strDefInstanceValueName = "DefaultInstance"
strAltitudeValueName = "Altitude"
strFlagsValueName = "Flags"

'Check for the Process Monitor Executable, copy it in if not already on the system.
If not objFSO.FileExists("C:\Windows\System32\procmon.exe") Then
  objFSO.CopyFile "\\server\procmon\procmon.exe", "C:\Windows\System32\", true
End If

'Now import the registry settings, one at a time
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strStartValueName, "0", "REG_DWORD"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strGroupValueName, "FSFilter Activity Monitor", "REG_SZ"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strTypeValueName, "1", "REG_DWORD"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strImagePathValueName, "System32\Drivers\PROCMON20.SYS", "REG_EXPAND_SZ"

objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strInstancesKeyPath & strDefInstanceValueName, "Process Monitor Instance", "REG_SZ"

objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strPMIKeyPath & strAltitudeValueName, "385200", "REG_SZ"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strPMIKeyPath & strFlagsValueName, "0", "REG_DWORD"

'Now copy over the PROCMON20.SYS file to the C:\Windows\System32\Drivers folder

If not objFSO.FileExists("C:\Windows\System32\Drivers\PROCMON20.SYS") Then
  objFSO.CopyFile "\\server\procmon\PROCMON20.SYS", "C:\Windows\System32\Drivers\", true
End If

'End of Script

Related

Policy Based Routing - DD-WRT
Does a USB-C graphic adapter need as much CPU power as a USB 3.0 adapter does?
Explorer.exe high CPU - accessing zips on a network share
Is there a way to show only specific values in x-axis of an excel chart?
ls working strangely
How To Set Multicast Rate On Apple AirPort Extreme
LSA (LsaSrv) "The security package Kerberos generated an exception. The exception information is the data." caused by NPS
Internet connection fails in Ubuntu on VirtualBox when virtual machine is created from "Import appliance"
Expectations for NTFS file recovery
Can I setup two RAID arrays on a single intel z97 controller?
Why does "Windows Games Explorer" attempt to access the internet whenever I launch a game?
Why doesn't usual Drag&Drop work in Windows 10?