Windows: Inject Procmon in an existing Windows installation by Windows PE

Hi,

for debugging purposes it’s sometimes necessary to enable the boot logging feature of sysinternals procmon.

But you can only enable boot logging only by the GUI and it logs only one boot process. If the systems boots multiple times the other boots are omitted by procmon.

So you need to inject procmon just before the boot you want to log is started.

Required files are the Procmon.exe and the related procmon24.sys driver. You can get the procmon24.sys by starting Procmon on another machine and copy it from the C:\Windows\System32\drivers folder. procmon24.sys is hidden! You can copy the files by xcopy

C:\> xcopy /h C:\Windows\System32\drivers\PROCMON24.SYS C:\temp

To automate the process copy all files on a network share

C:\myShare > dir 
26.10.2022  19:50         5.216.168 Procmon.exe
11.04.2023  04:36            80.264 PROCMON24.SYS
26.10.2022  19:50         2.691.488 Procmon64.exe

To inject the procmon driver the registry of the must get an driver entry and the driver file must be copied to C:\Windows\System32\drivers. Also the procmon executables should be copied to stop the boot logging and save the events to file.

Create a registry file Procmon_boot_winpe_insert.reg within C:\myShare. The __temp__hive__ key is where the SYSTEM hive of the Windows Installation must loaded to.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\__temp__hive__\ControlSet001\Services\PROCMON24]
"SupportedFeatures"=dword:0009c26c
"Start"=dword:00000000
"Group"="FSFilter Activity Monitor"
"Type"=dword:00000001
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,50,00,52,00,4f,00,43,00,4d,00,4f,\
00,4e,00,32,00,34,00,2e,00,53,00,59,00,53,00,00,00

[HKEY_LOCAL_MACHINE\__temp__hive__\ControlSet001\Services\PROCMON24\Instances]
"DefaultInstance"="Process Monitor 24 Instance"

[HKEY_LOCAL_MACHINE\__temp__hive__\ControlSet001\Services\PROCMON24\Instances\Process Monitor 24 Instance]
"Altitude"="385200"
"Flags"=dword:00000000

[HKEY_LOCAL_MACHINE\__temp__hive__\ControlSet001\Services\PROCMON24\Parameters]
"ThreadProfiling"=dword:00989680
"RuntimeSeconds"=dword:ff676980

and a simple batch install_procmon.cmd file to do all the tasks :-). Adjust the WINDOWS_INSTALLATION_DRIVE variable to the drive where Windows is installed. This depends on the order Windows PE determines the partitions(when multiple disk installed). Usually it’s C: or D:

The batch file loads the system hive the Windows installation to HKLM\__temp__hive__ and applies the registry file.

@echo off
set WINDOWS_INSTALLATION_DRIVE=C:
mkdir "%WINDOWS_INSTALLATION_DRIVE%\Program Files\procmon"
copy /y %~dp0procmon* "%WINDOWS_INSTALLATION_DRIVE%\Program Files\procmon"
echo Copy driver
copy /y "%WINDOWS_INSTALLATION_DRIVE%\Program Files\procmon\PROCMON24.SYS" "%WINDOWS_INSTALLATION_DRIVE%\Windows\System32\drivers"

reg load HKLM\__temp__hive__ %WINDOWS_INSTALLATION_DRIVE%\Windows\System32\config\SYSTEM

regedit /s /u %~dp0Procmon_boot_winpe_insert.reg

reg unload HKLM\__temp__hive__

Boot Windows PE mount the network share and execute the batchfile

X:\> net use \\myComputer\myShare /user:myDomain\myUser
X:\> \\myComputer\myShare\install_procmon.cmd
\\myComputer\myShare\Procmon.exe
\\myComputer\myShare\PROCMON24.SYS
\\myComputer\myShare\Procmon64.exe
\\myComputer\myShare\Procmon_boot_winpe_insert.reg
...

and reboot the system. After you logon to the system call

C:\> "C:\Program Files\procmon\Procmon.exe"

to stop logging and get the procmon log file.

Michael

Michls Tech Blog

Windows: Inject Process Monitor in an existing Windows installation by Windows PE

Leave a Reply Cancel reply

My Knowledgebase for things about Linux, Windows, VMware, Electronic and so on…