How to collect remote Procmon traces
Article ID: CTX232699
Updated On:
Description
To collect procmon traces remotely
Instructions
In the example I'll reference local machine as "A" and remote machine (on which we want to collect logs from) as "B"
- Download PsExec tool on machine A (https://docs.microsoft.com/en-us/sysinternals/downloads/psexec)
- Download Procmon on machine B (https://docs.microsoft.com/en-us/sysinternals/downloads/procmon)
- On Machine A, run Cmd as Administrator and navigate to the folder were you downloaded PsExec tool, and run the cmd > PsExec.exe \\<Hostname or IP of machine B> cmd.exe
Example:: C:\Users\Administrator\Downloads\PSTools>PsExec.exe \\10.107.141.16 cmd.exe
4. Navigate to the folder were you've downloaded procmon toolC:\Users\Administrator\Downloads\PSTools>PsExec.exe \\10.107.141.16 cmd.exe
PsExec v2.2 - Execute processes remotely
C:\Windows\system32>cd c:\processmonitor
5. Run the below cmd (NOTE: the cmd needs to run twice)
c:\ProcessMonitor>procmon.exe -accepteula /backingfile c:\log.pml /quiet
c:\ProcessMonitor>procmon.exe -accepteula /backingfile c:\log.pml /quiet
6. Repro the issue.7. Run the below cmd to stop procmon trace (NOTE: the cmd needs to run twice)
c:\ProcessMonitor>procmon.exe /terminate
c:\ProcessMonitor>procmon.exe /terminate
8. Close the procmon process, by running the "exit" cmdc:\ProcessMonitor>exit
cmd.exe exited on 10.107.141.16 with error code 0.
NOTE: Error Code should be "0"
9. Wait for couple of minutes - it takes a bit for procmon to properly shut down.
10.After a moment, Logs must be available on machine "B" and you can kill any rogue procmon process on the machine B.
Environment
Additional Information
The above screenshot and IP details are from Citrix internal lab machine.
