This article will outline the steps for collecting a Process Monitor Boot Log from a machine that cannot be accessed through either RDP or console due to startup issues.

---

Instructions

1.  Enable Boot Logging in Process Monitor in the PVS VDisk
   1.  Login using an account with administrative privilege (Administrator is recommended)
   2.  Navigate to the folder that ProcessMonitor.zip was extracted to (e.g. C:\monitor)
   3.  Double Click on the file “Procmon.exe”
   4. Click on the “Capture” icon to stop the capture process.
   5.  The Capture icon will now have a red X over it, meaning that the program is no longer capturing events.
   6. Now go in to the “Options” menu and select “Enable Boot Logging”
   7. A dialog box will appear stating “Process Monitor is configured to log activity during the next boot”.
   8. Process Monitor is configured to log activity during the next boot. Select the “OK” button to close the program.
   9. Reboot the system
2. Once machine is available, log in and wait for the issue to reproduce. We will now need to remotely collect the file C:\Windows\procmon.pmb (This is where Process Monitor is storing the events since boot) from the VDA to a remote workstation You can use PowerShell on your workstation to do this
   1. Copy-Item \\<VDA_NAME>\c$\windows\procmon.pmb <LOCATION ON YOUR REMOTE MACHINE>
   2.  Or, if possible, remotely browse to the file using the C$ share in explorer and copy it to your workstation via File Explorer.
3.   Now we need to “trick” our remote workstation’s Process Monitor into opening the procmon.pmb file and converting it to PML
   1.   Copy the procmon.pmb file into C:\Windows on your remote workstation. It is important that we copy and not move until we have verified the PML file is correct as ProcMon will delete this file from C:\Windows once conversion in complete
   2.   Launch ProcMon on your remote workstation
   3.   A dialog box will appear stating “A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data?”
   4.    Click “Yes” to save the collected data.
   5. This will open the Save As dialog box.
   6.  Insert in the “File name” field the desired name for the output (e.g. bootlog.pml) and select the "Save" button.
   7.   As soon as you select the "Save" button a progress bar appears reporting boot-time event conversion.
   8.  Following the boot-time event data conversion, the process will apply the Event Filter.
   9. Following the Event Filter application, ProcMon will return to the default console. Note that the capture icon shows as disabled.
   10. The folder containing ProcMon.exe will now contain the file bootlog.pml as well as several numbered iterations (eg bootlog-1.pml, bootlog-2, etc)
   11.  Collect all .pml files into a ZIP archive called “ProcMonBootLog.zip” and upload to CIS.citrix.com referencing your case number.

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.