If you need to get Procmon's filter to run below us in the filter stack, it has a setting for that. Procmon is usually used to figure out what is happening on the machine, but you do not get to see the activity of things such as virus scanners and unifiltr because they happen at a lower level than the procmon filter.  Since Unidesk and App Layering machines are normally nonpersistent, you need to get ProcMon's settings done properly without rebooting the VM.

You need to change the "Altitude" that procmon will run, putting it lower in the filter stack. In doing so we will be able to see all of the activity that we want from any filter driver including Unidesk. To change the altitude of procmon you will want to do the following steps (after installing Procmon, which is usually nothing more than putting it on the machine and running it once).

Note, the following example assumes that the ProcMon registry data lives in a folder called PROCMON20.  This key location can change with each version of ProcMon, so check to see where it is.

1. Open regedit.

2. Navigate to the HKML\System\CurrentControlSet\Services\PROCMON20\Instances\Process Monitor Instance key.

3. Change the Altitude value to 45100 (which will show you virtually everything that is happening on the machine).

4. You must also set the security on the "Process Monitor Instance" key and add deny rights for everyone for "delete" and "set value". Reason being that procmon will try to change its value back right away. You will have to uncheck "inherit permissions" in order to be able to set them at the Process Monitor Instance level.

5. If you have already started procmon before doing these changes, you will need to restart the machine. If not you should be able to just start procmon.

6. From an elevated command prompt, run the command fltmc instnaces and verify that the procmon drivers are running at the altitude that you set.

Then do whatever it is that you need to capture. Your capture will be even larger than normal.

NOTE: If you're trying to do this on a nonpersistent machine, it's a little tricky. You need to export the ProcMon registry keys from some machine and import them on your NP machine before you run ProcMon. If you don't prepopulate the whole HKLM\System\CurrentControlSet\Services\PROCMONxy tree, then you have to reboot in step 5, and that's not useful on an NP machine. So export that key on some other machine (or the same machine before a reboot), and when you're ready to run this on an NP machine:

1. Run RegEdit as Administrator

2. Import the REG file you got from an existing PROCMONxy system

3. Do steps 3, 4 and 6.